.

Pen Testing Windows

<<

millwalll

Post Fri Dec 02, 2011 11:08 am

Pen Testing Windows

Hi all,

So I got some time in my company test lab and not really done much windows pen testing.

Does anyone have good resource or tools for windows services like

smb
ldap
ms sql
snmp
or any other ?

So I can learn more about them as nessue flags lots of problems but I am not sure how to verify them epically with smb and ldap.

Thanks
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Fri Dec 02, 2011 12:51 pm

Re: Pen Testing Windows

craft clever phishing email
attach a pdf or excel sheet with embeded flash object which sets up a reverse shell connection
Wait for them to open it :D
Drop backdoors

Proceed with recon! :D

I keed I keed.  Depends on your goal.  With the Windows attacks, much of them have been due to 3rd party software not being patched rather than an actual flaw in Windows.

With SQL many times the built in SA account isn't properly secured or utilizes the same admin password as say the local admin of the computer.  If they are old versions of Windows (XP/2003) then you have more options.  If they are newer versions (7/2008) then you will have your work cut out for you.  If they have been hardened, it will be that much tougher.
Certs: GCWN
(@)Dewser
<<

millwalll

Post Sat Dec 03, 2011 8:53 am

Re: Pen Testing Windows

This is lab setup so it has lot of problem some of the problem listed include

default password for mysql
I tried to test for this using mysql ip -u root -p mysql but i get error cant connect or something.

smb null session
ldap null base search access
smb null session
smb uses sid to enumerate
smb lsaqueryinformationpolicy function
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Dec 03, 2011 11:00 am

Re: Pen Testing Windows

mysql might not be configured to allow root access from anywhere...  Might only allow from localhost (thus via a local webapp, or something)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Sat Dec 03, 2011 12:15 pm

Re: Pen Testing Windows

Jamie.R, I would highly recommend that you see about doing PWB and OSCP.

Tools for everything there are readily available in BackTrack, may even be nmap scripts for it :)

~TheXero
<<

millwalll

Post Sat Dec 03, 2011 12:25 pm

Re: Pen Testing Windows

That is a good point hayabusa but if that the case if nessus reports mysql using default credentials how can you confirm this as you cant really report an issue to client without being sure it is an issue.

TheXero
I plan on doing OSCP but it just getting the money sadly my company wont pay for me as they prefer to train in house but I am trying to progress my training myself but as I am only junior don't get paid that much.

It is on my list of things to do :P
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Dec 03, 2011 2:56 pm

Re: Pen Testing Windows

Jamie.R - in that case, you'd need to look for SQL- or command-injection to be able to pass root's login via a web app.  I recall having to do EXACTLY that, when I was helping beta test for the US Cyber challenge, a couple of summers ago.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

millwalll

Post Sun Dec 04, 2011 7:20 am

Re: Pen Testing Windows

Cool will look into that does anyone have any good links for leaving more about windows ? I mean I have used windows for about 14 years at home but not really in a business environment so have not dealt with domain controllers and stuff like that.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sun Dec 04, 2011 9:28 pm

Re: Pen Testing Windows

A few guidelines from you original question:

smb - look for missing patches and public exploits. you can also dictionary attack smb for credentials. i'd start with username "administrator" ;) You can also capture hashes for smb creds and use these in pass the hash techniques. There are a number of ways to do this.

ldap - if anonymous ldap sessions are allowed you can enumerate this service for lots of juicy info.

ms sql - look for missing patches. Better yet, if you can get creds for SA then more than likely they have xp_cmdshell functioning and you can get root, easy. You can get creds by dictionary attack, SE, or existing odbc connections.

snmp - again, dictionary attack. If you can find out the community string, you can likely read/write entire server configurations. This is a very powerful, yet often overlooked security issue on corporate lans.

I would recommend getting a copy of MSDN and installing your own AD environment so you can see all the moving parts of an AD environment. This is paramount to successful pentesting since most orgs use AD in one fashion or another.
<<

millwalll

Post Mon Dec 05, 2011 4:28 am

Re: Pen Testing Windows

Cool thanks for that any good link to things like smb and ldap and stuff ? Yah install AD might be worthwhile task.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Dec 05, 2011 9:17 am

Re: Pen Testing Windows

Win XP in a domain environment, with a default Sec Policy, will cache up to 5 passwords I think.  I have to look at my lab DC.  But yeah XP even with SP3 is still a pretty good target.  Now if the Sys admin in the domain is doing it write, Windows Firewall is enabled so many of the attacks might not work. 

Also I think by default MS SQL will not allow network connections until you go into the config and turn it on.  MySQL may do the same thing.

Just because Nessus says it so, doesn't mean it is.  Get the MSSQL Management tool, this will allow you to test for connections.  Also NMAP has a nifty script to locate systems broadcasting services such as DNS, SQL and other types.

nmap -P0 --script=broadcast


It will run a series of broadcast scripts.  If you want to see the details y ou can view them in the nmap/scripts folder.  There is also one for listening for Dropbox LAN sync broadcasts >D

Sorry if I got off topic a bit :D
Certs: GCWN
(@)Dewser
<<

millwalll

Post Fri Dec 09, 2011 4:43 am

Re: Pen Testing Windows

Thanks,

what's the best way to learn about domains is it good idea set one up can this be done for free ? any other useful information on testing windows or tools be really great thanks.
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Fri Dec 09, 2011 5:33 am

Re: Pen Testing Windows

Jamie.R, you if want a go at my challenge, drop by #intern0t on irc.freenode.net and we'll set you up for the CTF which is currently running :)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Fri Dec 09, 2011 9:02 am

Re: Pen Testing Windows

I think the system admin/network admin stuff is incredibly important to be a good pentester, so you definitely should learn all about AD. There are a few options:

- Start working helpdesk or sys/network admin roles
- Get your MCITP
- Spend $200 and get a subscription to MSDN so you can download and play with every piece of software MS makes. Then, set up your own AD domain, exchange server, sql server etc. etc. etc.

I really believe the network work is huge, simply because if you pop a box on a network, will you know where to go next? Would you know how to pull data off a sql server? Would you know how to export email off an exchange server? Just a few simple things, but can be incredibly valuable to a client because getting domain admin might not mean as much to them as stealing the CEO's email.
<<

millwalll

Post Mon Dec 12, 2011 7:01 am

Re: Pen Testing Windows

MCITP What does this cover is it only active directory or is it more like Microsoft admin course ?
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software