.

Steps to hack a network

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jun 23, 2010 7:16 am

Steps to hack a network

Ok, here's the deal. I am having an hard time getting into many servers in the OSCP lab and I feel like a "chicken with no head"! Let me abstract the problem a bit. I have 2 questions:

1) Once you have enumerated a network, let's say there are 10 different servers, how to you proceed to exploit them? Time is precious and I feel like I go everywhere, try one service on server A, then trying another server on server B, and so on. For example, do you try all FTP servers, then all HTTP servers, etc or do you try all services on one machine then you go to the next one?

2) If you have a single host to root, how do you proceed? Would you go, in order (if applicable!):
a) Reconnaissance
b) Scanning (nmap, nessus, nikto)
c) Attack SMB, use metasploit, hydra
d) If c) didn't work out, Look for SQL injection vulnerabilities
e) If d) didn't work out, try fuzzing
f) ...

I stuck after c)... I know it really depends on which services are available on a server, but generally, how do you proceed?

I am tired...  :-\
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jun 23, 2010 8:19 am

Re: Steps to hack a network

H1t M0nk3y wrote:a) Reconnaissance
b) Scanning (nmap, nessus, nikto)
c) Attack SMB, use metasploit, hydra
d) If c) didn't work out, Look for SQL injection vulnerabilities
e) If d) didn't work out, try fuzzing
f) ...


Without giving away keys to the kingdom, here is how I would proceed...

1) Recon + Scanning
Don't always believe what you see during the recon phase and don't rely on the output of solely one scan. Check your parameters and fiddle with them. For example nmap reports back the most common ports usually between 1000-2000 services however, that is a huge gap. Think big and tell nmap what services/ports YOU WANT to look for on both protocols UDP and TCP.

2) Attack
Don't aim blindly at the servers with useless exploits. Create a targeted attack focused specifically on the machine and what its running. For example, why would you shoot off Windows based attacks at a Linux machine. Every machine will have an exploitable service/program/script. Your goal is to find out *WHAT* is exploitable. Be creative:

  Code:
# nmap [b]-sX[/b] 10.20.30.40 -v

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:24 EDT

The XMAS Scan took 34.76s to scan 1680 total ports.
Host misos (10.20.30.40) appears to be up ... good.
All 1680 scanned ports on misos (10.20.30.40) are open|filtered

Nmap finished: 1 IP address (1 host up) scanned in 35.105 seconds
               Raw packets sent: 3361 (134.442KB) | Rcvd: 1 (42B)

# nmap [b]-[u]sS[/u][/b] 10.20.30.40 -v

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:26 EDT
The SYN Stealth Scan took 65.32s to scan 1680 total ports.
Host misos (10.20.30.40) appears to be up ... good.

PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure-sensor
912/tcp  open  unknown
1026/tcp open  LSA-or-nterm

Nmap finished: 1 IP address (1 host up) scanned in 65.668 seconds
               Raw packets sent: 5039 (221.714KB) | Rcvd: 20 (956B)

# nmap -sS 10.20.30.40 [b][u]-p[/b] 1-60000[/u] -v

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:27 EDT
The SYN Stealth Scan took 261.60s to scan 60000 total ports.
Host misos (10.20.30.40) appears to be up ... good.

PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
902/tcp   open  iss-realsecure-sensor
912/tcp   open  unknown
1026/tcp  open  LSA-or-nterm
1028/tcp  open  unknown
3865/tcp  open  unknown
5357/tcp  open  unknown
8222/tcp  open  unknown
8333/tcp  open  unknown
9127/tcp  open  unknown
9704/tcp  open  unknown
21112/tcp open  unknown
23791/tcp open  unknown
23943/tcp open  unknown

Nmap finished: 1 IP address (1 host up) scanned in 262.092 seconds
               Raw packets sent: 120028 (5.281MB) | Rcvd: 65 (3106B)


Same machine, three different outputs. As you can see, if I relied on a typical NMAP scan, all I would yield would be 7 services when there are 17 TCP based services running on this machine. So what are these other "unknown" services?

  Code:
telnet 10.20.30.40 5357
Trying 10.20.30.40...
Connected to 10.20.30.40.
Escape character is '^]'.
[b]POST[/b]
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 23 Jun 2010 12:41:33 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>
Connection closed by foreign host.


Since I own the machine, I know exactly what's running on it however, let's assume I didn't. Let me Google it: http://seclists.org/pen-test/2008/Jul/130 Now I have more information to go on. From here, what do you do? You dig down for potentially exploitable code (dis)affecting that program. Fuzz that port and so on and so forth.

Enumeration 101 ... Again, be creative with your enumeration whether it's scanning, lists, etc. Create your own userlist, your own password lists. Are you solely relying on say three usernames? I'd use the top 50 common names as UID's. Try not to focus on the tools and their generic methods of working. The tools only do what you tell them to do. Your brain is the key.

Another post follows The message exceeds the maximum allowed length (30000 characters).
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jun 23, 2010 8:31 am

Re: Steps to hack a network

Again, think a little outside the box:

  Code:
nmap -[b]sSV -sR -PP[/b] -O 10.4.64.105 -p 80,135,139,445,902,912,1026,1028,3865,5357,8222,8333,9127,9704,21112,23791,23943 > Output

LONG OUTPUT OMITTED ...


==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9704-TCP:V=4.11%I=7%D=6/23%Time=4C220721%P=i686-pc-linux-gnu%r(GetR
SF:equest,4E8D,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2023\x20Jun\x2020
SF:10\x2013:07:45\x20GMT\r\nServer:\x20Oracle\x20Containers\x20for\x20J2EE
SF:\r\nLast-Modified:\x20Tue,\x2020\x20Apr\x202010\x2018:23:20\x20GMT\r\nA
SF:ccept-Ranges:\x20bytes\r\nContent-Length:\x2019882\r\nConnection:\x20cl
SF:ose\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x2
SF:0\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\">\n<html\x20lang=\
SF:"en,us\">\n\n<HEAD>\n\n\x20\x20\x20\x20<TITLE>Welcome\x20to\x20Oracle\x
SF:20Containers\x20for\x20J2EE\x2010g\x20\(10\.1\.3\.1\.0\)</TITLE>\n\n\x2
SF:0\x20\x20\x20<META\x20content=\"text/html;\x20charset=windows-1252\"\x2
SF:0http-equiv=Content-Type>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\
SF:x20href=\"ohs_images/portals\.css\">\n</HEAD>\n<body\x20bgcolor=\"#FFFF
SF:FF\"\x20link=\"#663300\"\x20vlink=\"#996633\"\x20alink=\"#FF6600\"\x20t
SF:ext=\"#000000\">\n<span\x20style=\"font-size:\x201pt;\"><a\x20href=\"#p
SF:ortlets\"\x20title=\"List\x20topics\x20on\x20this\x20page\"><img\x20src
SF:=\"ohs_images/space\.gif\"\x20alt=\"Skip\x20tabs\"\x20height=1\x20width
SF:=1\x20align=\"right\"\x20border=0></a></span>\n\n<!--\x20tabs\x20-->\n<
SF:a\x20name=\"tabs\"></a>\n<table\x20summary=\"\"\x20width=\"100%\"\x20bo
SF:rder=\"0\"\x20cellspacing=\"0\"")%r(HTTPOptions,2A0A,"HTTP/1\.1\x20200\
SF:x20OK\r\nDate:\x20Wed,\x2023\x20Jun\x202010\x2013:07:46\x20GMT\r\nServe
SF:r:\x20Oracle\x20Containers\x20for\x20J2EE\r\nLast-Modified:\x20Tue,\x20
SF:20\x20Apr\x202010\x2018:23:20\x20GMT\r\nAccept-Ranges:\x20bytes\r\nCont
SF:ent-Length:\x2019882\r\nConnection:\x20close\r\nContent-Type:\x20text/h
SF:tml\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS,\x20TRACE\r\n\r\nHTTP/1\.1\x2
SF:0200\x20OK\r\nDate:\x20Wed,\x2023\x20Jun\x202010\x2013:07:46\x20GMT\r\n
SF:Server:\x20Oracle\x20Containers\x20for\x20J2EE\r\nLast-Modified:\x20Tue
SF:,\x2020\x20Apr\x202010\x2018:23:20\x20GMT\r\nAccept-Ranges:\x20bytes\r\
SF:nContent-Length:\x2019882\r\nConnection:\x20close\r\nContent-Type:\x20t
SF:ext/html\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS,\x20TRACE\r\n\r\n\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");


Kind of noisy no? Clean it up

  Code:
perl -p -e 's!x20! !g;s!SF:! !g;s!\\n!\n!g;s!x20! !g;s:\\: :g' /tmp/Output

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9704-TCP:V=4.11%I=7%D=6/23%Time=4C220721%P=i686-pc-linux-gnu%r(GetRequest,4E8D,"HTTP/1 .1  200  OK
Date:  Wed,  23  Jun  20 10  13:07:45  GMT
Server:  Oracle  Containers  for  J2EE
Last-Modified:  Tue,  20  Apr  2010  18:23:20  GMT
Accept-Ranges:  bytes
Content-Length:  19882
Connection:  close
Content-Type:  text/html

<!DOCTYPE  HTML  PUBLIC x2
 0 "-//W3C//DTD  HTML  4 .01  Transitional//EN ">
<html  lang="en,us ">

<HEAD>

<TITLE>Welcome  to  Oracle Containers  for  J2EE  10g   (10 .1 .3 .1 .0 )</TITLE>

<META  content= "text/html;  charset=windows-1252 "http-equiv=Content-Type>
        <link  rel= "stylesheet" href= "ohs_images/portals.css">
</HEAD>
(HTTPOptions,2A0A,"HTTP/1 .1  200  OK
Date:  Wed,  23  Jun  2010  13:07:46  GMT
Server:  Oracle  Containers  for  J2EE
Last-Modified:  Tue, 20 Apr 2010 18:23:20  GMT
Accept-Ranges:  bytes
Content-Length:  19882
Connection:  close
Content-Type:  text/html
Allow:  GET,  HEAD,  OPTIONS,  TRACE

HTTP/1 .1
200  OK
Date:  Wed,  23  Jun  2010  13:07:46  GMT

Server:  Oracle  Containers  for  J2EE
Last-Modified:  Tue, 20 Apr 2010  18:23:20 GMT
Accept-Ranges:  bytes
Content-Length:  19882
Connection:  close
Content-Type: text/html
Allow:  GET,  HEAD,  OPTIONS,  TRACE


I now have better information to work with. Stay focused on your goal. Find what's running, then focus on what might potentially break it instead of trying to throw the toolshed at it.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jun 23, 2010 8:36 am

Re: Steps to hack a network

Sil, I am so humble right now!

Thanks a lot, I wasn't doing the right thing. You examples are priceless!!!
I will keep you posted.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jun 23, 2010 8:44 am

Re: Steps to hack a network

Another related question: If you find 10 services listening on a machine, I guess you try the easy stuff first than you make your way up to the more "difficult" ones?!?

In Sil example:
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure-sensor
912/tcp  open  unknown
1026/tcp open  LSA-or-nterm


Wouldn't you try these ones first and if you don't find anything, you continue scanning all the other ports (TCP and UDP)?

Or would you scan everything in depth (which I believe makes a lot of sense!), then try to attack the most common ones and finally go for the most difficult services?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jun 23, 2010 10:17 am

Re: Steps to hack a network

Low hanging fruit is often the easiest to pick ;) So for the sample scan you posted:

  Code:
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure-sensor
912/tcp  open  unknown
1026/tcp open  LSA-or-nterm


Thorough solution: (version_trace + -O)
  Code:
# nmap -sSV -sR -PP -O 10.20.30.40 -p 80 --version_trace

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 11:06 EDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------

Interesting ports on misos (10.20.30.40):
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS webserver 7.0


Personally... It would depend on the OS fingerprint ;) Is it Win2k, 2k3, XP, Vista? ... On 2K and 2K3, you're more likely to find SMB "exploitable" then you would on XP, Vista, 2008. So it all depends if you obtained a nice fingerprint.

Now, there are two things going on... There is the OSCP exam, and there is compromising a machine, recon, analysis...

  Code:
for i in `lynx --dump  "http://labs.google.com/sets?hl=en&q1=window&q2=unix&q3=&q4=&q5=&btn=Small+Set+%2815+items+or+fewer%29"|grep "\["|sed -n '3,10p'|awk -F ] '{print $2}'`

do

echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 139/SMB|sh
echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 135/TCP|sh
echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 445/SMB|sh

done


Will yield you a lot of information on SMB processes, try it.. What you do with that information is up to you. You need to think like an attacker. Not solely based on the content of the exam. The goal is to compromise the machines by any means necessary. This does not stop you from using your own tools here.

In the case of low hanging fruit... Take not of the nmap syntax I re-use:

  Code:
root@axios:/pentest/exploits/framework3# ./msfconsole

#    # ###### #####   ##    ####  #####  #       ####  # #####
##  ## #        #    #  #  #      #    # #      #    # #   #
# ## # #####    #   #    #  ####  #    # #      #    # #   #
#    # #        #   ######      # #####  #      #    # #   #
#    # #        #   #    # #    # #      #      #    # #   #
#    # ######   #   #    #  ####  #      ######  ####  #   #


       =[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 567 exploits - 271 auxiliary
+ -- --=[ 272 payloads - 26 encoders - 8 nops
       =[ svn r9532 updated 8 days ago (2010.06.15)

msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_connect hitmonkeytest
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: hitmonkeytest

msf > db_nmap -p 80,135,139,445,902,912,1026,1028,3865,5357,8222,8333,9127,9704,21112,23791,23943 10.20.30.40

Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-23 10:28 EDT
Interesting ports on misos (10.20.30.40):
PORT      STATE    SERVICE
80/tcp    open     http
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
902/tcp   open     iss-realsecure
912/tcp   open     unknown
1026/tcp  open     LSA-or-nterm
1028/tcp  open     unknown
3865/tcp  open     unknown
5357/tcp  open     unknown
8222/tcp  open     unknown
8333/tcp  open     unknown
9127/tcp  filtered unknown
9704/tcp  filtered unknown
21112/tcp open     unknown
23791/tcp filtered unknown
23943/tcp filtered unknown
MAC Address: 00:14:C1:4C:53:DC (U.S. Robotics)

Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
msf >


The low hanging fruit would be to try autopwn but that would be the easy wait out. Not only the easy way out, but you've accomplished nothing (besides I don't believe you're allowed to use Metasploit or Autopwn during the exam... I don't recall).  You've done your --version_trace so you already know that there is no need to run ALL http based exploits against this machine anyway. Think about autopwn and how it will work. It's pointless as an Apache exploit won't work on IIS7, secondly it's noisy so autopwn is useless. You DID get specifics on your scan: So you should perform a search on those specifics:

  Code:
msf > search oracle
[*] Searching loaded modules for pattern 'oracle'...


Remember, my recon told me Oracle was running here. So now I have a choice, I could tamper with Oracle, check exploit-db, CVSS lists, milw0rm, etc.

  Code:
# find /pentest/exploits/framework3/modules/exploits/windows|xargs grep 9127


No luck with finding an exploit that targets Oracle on that port (9127) or any other exploit that uses that port. It all depends on various factors when I perform a pentest. Usually I try not to rely too deeply on specific tools and when I do, I use them in lesser known methods. I've yet to see many people use tools like Scapy and even nmap at their finest usage. I suggest understanding the relationship between tools, ports, etc., before wandering aimlessly (and I don't mean that in a derogatory way).

When I did my recon for the exam,  I literally had Open Office open posting the output to ALL services I found on the servers. Then I began focusing on what I saw and ONLY what I saw in regards to versions, the operating system running those versions, etc. Same applies to my real world work. When I do recon now, I try to get EVERY little morsel of information I can from every possible source before I even think of an exploitable method for those processes.

http://www.google.com/search?q=oracle+9 ... icial&sa=2

Why lookie here: http://netifera.com/research/ (POET). You won't get that information from the content on the OSCP, but I don't believe there is anything telling you that you CAN'T use other tools. I do believe though that you can't use metasploit, autopwn and or Core Impact and or Canvas. (That is of course if you have Core or Canvas.) Things may have changed though I took the exam in 07 or 08 (don't remember)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jun 23, 2010 12:32 pm

Re: Steps to hack a network

Sil, I have to pay you a beer!!!  :D

I will spend as much time as I can tin the next few days applying these words of wisdom in the lab!!!

I can't try anything at work today, but I can't wait to be home!!!

I really appreciate your comments...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Wed Jun 23, 2010 1:00 pm

Re: Steps to hack a network

Hey sil, I've been watching this thread with great interest.  Thank you for your thorough and logical presentation of what you'd do and why.  I see comments on other sites about simply following recipe 1), 2) then 3) to penetrate a system but that is far too simplistic.  I'd rather understand what's happening "under the hood", exactly what I'm doing and why, so I can apply the principles to another system.

I'll keep an eye on further fascinating developments ...
Last edited by Ignatius on Thu Jun 24, 2010 9:00 am, edited 1 time in total.
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Wed Jun 23, 2010 1:18 pm

Re: Steps to hack a network

Agreed.  Sil, you truly are an asset to this site.  Thank you.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jun 23, 2010 2:45 pm

Re: Steps to hack a network

Dengar13 wrote:Agreed.  Sil, you truly are an asset to this site.  Thank you.


Thanks to both you and Ignatius. I just try to offer a different perspective on things. Tools are cool, no one can get by without them. Understanding their place and value should come first. I come from the system/network administration background almost exclusive on *nix based systems (Solaris, BSD, Linux... Google + Archive.org would attest to this) so I take an administrative + security approach. I've always tried to do - without... Meaning, replicating tools without using them because after all, most tools are prettified command line scripts anyway, you just have to be familiar with what commands to use.

I argued slash debated at one point about using specific tools because they were noisy. Most IPS/IDS even home based firewalls will smell nmap coming a mile away, let alone any scanner. That doesn't mean I couldn't run say netcat in a sleep script. With netcat I'm less likely to trigger an alarm for one, secondly if I'm already on a machine, no need to introduce programs that may trigger a HIPS. Sort of "tai chi" the machine's own self.

I also threw this same concept out before as an "all inclusive" backdoor retainer: http://www.infiltrated.net/scripts/plague the concept was based off of simple files already on a system (no need to download and trigger any alarms). Would be completely undetectable by AV. I did this in response to a few things at the time... To prove a point to an engineer at Symantec during Joanna Rutkowska's Red Pill Blue Pill dare. It was said that an undetectable backdoor couldn't be made... I made one then the contest was "re-described" to state an "undetectable backdoor hook for ring0" couldn't be made. :( How sad... I could have won 10k for a 4 liner.

The point I'm trying to make sometimes is, understand as best as possible what you are doing (stay focused and be extremely versatile). Things fall into place after some practice. Heck on a daily basis I almost always say: "Aha!!!!" and learn something new. This to me is the beauty of security - so vast... Networking, forensics, reverse engineering, scripting... There is always something to do and something new to learn. I've been fortunate enough to know a lot of people through the years and have always despised those who thought they were "too leet/good" to share.

Heck I learn from anyone I can. You never know what you might miss being shortsighted/arrogant/elitist. On the flip side, my descriptions at times tend to seem arrogant. I don't mean to post that way, just the way I am ;)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jun 23, 2010 3:14 pm

Re: Steps to hack a network

Sil, you don't sound arrogant at all!

There was an earthquake this afternoon in Ottawa, Canada and the government sent us home (even if NOTHING happened!!!). Anyway I got home early and have been applying what you said for the last hour. I am sooooooo new to this world!

My background is developing web applications, so I understand the code very well, but there is a steep learning curve to many, many things in this field.

But as you mentionned, that's why I love it so much: you never stop learning!

All that to say, a server in the lab I thought had 9 ports open really have... 24 listening services! Oh well, back to work now! ;D
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jun 23, 2010 3:48 pm

Re: Steps to hack a network

H1t M0nk3y wrote:My background is developing web applications, so I understand the code very well, but there is a steep learning curve to many, many things in this field.


When it comes to programming... I only program what I need to run (specifics) so I'm very sharp at creating something I specifically need however, this is usually because a) I've either done it so many times I felt a need to program something so I don't have to keep doing it b) I can re-hash/re-use existing code (why reinvent wheels). I have little patience to go out and be a programmer. I try to gain enough of an understanding to get a job done It's only until now that I'm literally pouring over ASM from scratch not to program in ASM, but to understand reversing a bit more. At the same time it's a bit difficult for me because I can't devote as much time as I'd like to it.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software