Network penetration testing Marek Kumpo š t Penetration testing > Authorized attempt to violate specific constraints defined in a form of a policy > Technique to discover, understand, and document all security holes found in a system > Not restricted to network only > Penetration testing can prove presence of a security flaw > But not their total absence Penetration study > Complex process to evaluate (through penetration testing) the strength of all security controls within the system/network > + suggestions how to fix them > The goal of a penetration study is also finding interpretations (causes) of discovered vulnerabilities and to suggest how to remove/close them > Not intrusive - detects/enumerate potential vulnerabilities but does not exploit them Lifecycle of penetration testing > Phase 1: Information gathering about tested environment > Phase 2: Scanning, enumeration, fingerprinting, ... > Phase 3: Exploitation, vulnerability testing, ... > Phase 4: Report and evaluation Recommended tools and pentesting arsenal Applications Placo J 0 Mori Nov 17. 8:J5 AM . (? § • r ■ Kisnet Sort Kiew windows networks seen — 1 _IllCfl_Fran PkTs Si-. t --- No clients seen --- ] \ \ / / I V \ A / /_| \ V \/ / _ \ \ A / _/ V V \_.1 >n . V _| ) \_ \ I I. II (J I _ I I_ J I. . \| \l _ M I _l J I I IJ I I L _/|J\_V_I --=[WebSploit Framework ■-=[Version :: .9.5 BETJ ■[Codename : -—IAvailable Modules : 19 --=!Update Date : [ ) seconds. a:m«J:: ;ould not connect to Kismet server 'localhost :2591' (Connection refused) will attempt to reconnect in 5 seconds, Could not connect to Kismet server "localhost :25G1' (Connection refused) will attempt to reconnect in 5 seconds. (•1 Starting Hetasploit Console... [•] Starting the Hetasploit Framework console...- WARNING! The following modules could not be loaded! 1-1 /opt/metasploit/apps/pro/modules/exploits/pro/web/sqli_mssql.rb: NameError uninitialized constant Ksf::Exploit::CmdStagerVBS \ / \ A I |\ / I _ \ \ I I \l I I _\ I ■ ■ I LI III _l_ I I. I _ IJ _ _ _ I I / \ _ \ \ A I _\ I ■_/ I II I II I I- -1 / A _\ \ I I II \_/| I I |_ 1 /\ \\_/ \/ \_| |_\ \_\ The quiete Tired of Typing 'set RHOSTS'? Click 5 pwn with Hetasploit Pro Learn more on http://rapld7.com/metasp1oit =[ metasploit v4.19.9-2014102901 [core:4.19.0.pre.2914162901 api:l.0.011 + -- 1369 exploits - 836 auxiliary - 233 post ] 4 ■- •-=[ 343 payloads • 37 encoders - 8 nops + Free Heta.spl.oit Pro trial: http://r-7.co/trymsp ) 1*1 Successfully loaded plugin: pro tasi * [1_ 0 9 127.0.9.1:5432 0.9.9.0: 2543/postgres tcp 6 9 127.0.0.1:3901 0.9.9.0: 2819/thin server (1 tcp 0 9 127.0.0.1:3904 0.0.9.9: 4534/ruby1.9.1 tcpG 0 0 ::!:5432 :: :* 2543/postgres u Jp 9 9 9.0.0.0:66 0.9.9.9: 2976/dhcllent '.1 0 0 0.0.0.0:42456 0.0.9.0: 2976/dhcllent Ipf 0 0 :::38459 :: 2976/dhcllent I 1)01 ikdli-vbox:-* ifconflg Link encap:Ethernet HWaddr G8:G0:27:lf:95;35 inetfe" addr: fe89::a0O:27ff:felf:9535/64 Scope:Link UP BROADCAST RUNNING MULTICAST HTU : 1509 Metrics RX packets:© errors:© dropped:Q overruns:G franiö:& TX packets:40 errors:0 dropped:© overruns:© carrier:© collisions:© txqueLrelen:l90G RX bytes:© (0.0 B) TX bytes:11592 (11.3 KiS) Link encap:Lacal Loopback inet addr:127.0.Q.l Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LO0PBACK RUNNING MTU:65536 Metric:1 RX packets:17932 errors:© dropped:© overruns:© frame:© TX packets:17932 errors:© dropped:© overnjns:G carrier:G collisions:© txqueuelen:© RX bytes:561Q3Q9 (5.3 HiB) TX bytes:561©3©9 (5.3 MiB) : - I root@kJli-vbo« I r0Ot@kjlJ-wöO)(: - I rööt@ikali-vbox; - ED root@kali-vbox: - Types of penetration testing > Black-box pentesting > Tester knows no details about tested environment > Simulation of an external attacker with no internal knowledge > Grey-box pentesting > Tester might have some arch, details, credentials, etc... > White-box pentesting > Nothing is hidden from the tester in this scenario > Arch, details, credentials, source code of tested application Determining scope of a pentest (1/2) > Who has the authority to authorize testing? > What is the purpose and what is the timeframe for the testing? > Who is authorized to know about the pentesting (IT, mngmt, ITsec > What documentation will you have (IP ranges, applications, DB, . Determining scope of a pentest (2/2) > What are the conditions for the test to be immediately stopped? > Will additional permissions be required for exploiting vulnerabilities? > Are there any legal implications you should be aware of? > Is social engineering (or physical security) also part of the pentest? Most important part of any pentest? > Take good notes!!! ;-) > Of your setup, testing procedures, used tools, results, follow-ups > Tips for tools: Dradis, MagicTree, ThreadFix or just Notepad ... Information gathering > Name servers, IP ranges, banners, running services > Operating systems, IDS/IPS presence > Technology used, network device types > Google for anything, that might help you to build knowledge > Find everything that you can -> prioritize, remove misleading data -> use gathered data to develop a pentest plan Information cratherincr - example with DNS Applications Places J [>~1 Mon Nov 17, 11:37 AM root#kali-vbox:-# nslookup wwrf.qoog1e.com Server: 192.168.99.1 Address: 192.168.99.1*53 Non-authoritative answer: Name: www.google.com Address: 173.194.32.211 Name: www.google.cotn Address: 173.194.32.212 Name: www.google.com Address: 173.194.32.288 Name: www.google.com Address: 173.194.32.209 Name: www.google.com Address: 173.194.32.210 rootgkali-vbox:-* [] i oot(ak.il i-vhi-* :~# nslookup www.google.com 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8*53 Non-authoritative answer: Name: www.google.com Address: 173.194.32.218 Name: www.google.com Address: 173.194.32.288 Name: www.google.com Address: 173.194.32.289 Name: www.google.com Address: 173.194.32.211 Name: www.google.com Address: 173.194.32.212 im>i(tk.ii i-vl.....-# [] aU-vboi:-* dig .trace www.fi.muni.cz DiG 9.8.4-rpz2+rl605,12-Pl «» .trace www.fi.muni.cz ; global options: +cmd 15749 :■: 1,root -servers.net. 15749 ::. c.root -servers.net. 15749 :\ NS d.root -servers.net. 15749 :'. ).root -servers.net. 15749 :•. k.root -servers.net. 15749 :-. NS i.root -servers.net, 15749 :•. NS e.root -servers.net. 15749 :■. NS h.root -servers.net. 15749 :r. NS m.root -servers.net. 15749 :•. '.: a.root -servers.net. 15749 NS g.root -servers.net, 15749 :■. b,root -se rve rs.net. 15749 :■. NS 1.root -servers.net, ;; Received 496 bytes from 192 168. 99.1*53(192 .168.99.1) in 24 ms cz. 172888 IN NS d.ns.nic.cz. - :■. 172808 c.ns.nic.cz. CZ. 1728G8 NS a.ns.nic.cz. L 7 . 172888 IN NS b.ns.nic.cz. :: Received 279 bytes from 192 33.4 .12*53(192. 33.4.12) in 24 ms muni.cz. 18888 :'. V ns2.muninet.cz. muni.cz. 18888 IN NS ns.muni.cz. muni.cz. 18880 IN NS nsa.ces.net. muni.cz. 18880 IN NS ns2.muni.cz. Received 158 bytes from 194 6.14 .1*53(194.6 .14.1) in 37 ms fi.muni.cz. 7288 :•. NS ns.muni.cz. fi.muni.CZ. 7288 :'. NS aisa.fi.muni.cz. fi.muni.cz. 7288 IN \S ankur.fl.muni.cz. SReceived 164 bytes from 195.113.144.285*53(195.113.144.265) in 35 ms 380 IN A 147.251.48.1 aisa.fi.muni.cz. anxur.fi.muni,cz► ns.muni.cz. fi.muni rcz mm 308 IN A 388 IN NS 300 IN NS 308 IN NS ;; Received 180 bytes from 147.251.48-1*53(147.251.48.1) in 11 ms roottakali-vbox ;-# dig www.fi.rnuni.cz axfr ; DiG 9.8.4-rpz2+rlG05.12-Pl «» www.fi.muni.cz axfr global options: +cmd ; Transfer failed. root^kali-vbox:-# Q root@kdli-vbox:~# dig txt chaos VERSION.BIND 9ns.muni.cz +noall *answ»r ; DiG 9.8.4^rpz2+rl005.12-Pl txt chaos VERSION.BIND @ns.muni.cz +noaU +answer ;; global, options: +cmd VERSION.BIND. 0 CH TXT "9.8.4-rpz2+rl0O5.12-P1" r ootiiJk.ili-vbox :-# fierce -h fierce.pl (C| Copywrite 2306,2007 - By RSnake at http://ha.ckers.org/fierce/ Usage: perl fierce.pl [-dns example.com] [OPTIONS] Overview: Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware. Options: -connect Attempt to make http connections to any non RFC1918 (public) addresses. This will output the return headers but be warned, this could take a long time against a company with many targets, depending on network/machine lag. I wouldn't recommend doing this unless it's a small company or you have a lot of free time on your hands (could take hours-days}. Inside the file specified the text "Host:\n" will be replaced by The host specified. Usage: perl fierce.pl -dns example.com -connect headers.txt How do you get info you want? > Network scanning - typical approach in the beginning > List of live IP addresses - PING scan > Information from WHOIS database - DNS name, A, MX records, geolocation, reputation of an IP, SPAM db lookups, etc. www.tcpiputils.com How do you get info you want? > Service scanning > Basic portscan - slower scan with nmap > Gives us information about running services > Services fingerprinting - possible versions of services - used to identify vulnerabilities and help us finding relevant exploits PING scan of a network > What is this technique good for? > Get a list of live IP addresses > Get a list of your targets, understand IP addressing structure > Basic PING scan can be easily detected NAHE fping - send ICMP ECHO_REQUEST packets to network hosts SYNOPSIS fping [ options ] [ systems..- ] DESCRIPTION fping is a program like ping(8J which uses the Internet Control Message Protocol (ICHP) echo request to determine if a target host is responding, fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping. Instead of sending to one target until it times out or replies, fping will send out a ping packet and move on to the next target in a round-robin fashion. In the default mode, if a target replies, it is noted and removed from the list of targets to check; if a target does not respond within a certain time limit and/or retry limit it is designated as unreachable, fping also supports sending a specified number of pings to a target, or looping indefinitely (as in ping ). Manual page fping(8) line 1 (press h for help or q to NPING(l) root@kali-vbox: Nping Reference Guide NPING(l) nping - Network packet generation tool / ping utility SYNOPSIS nping fOptionsl {targets} DESCRIPTION Nping is an open-source tool for network packet generation, response analysis and response time measurement. Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any field of the protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress tests, ARP poisoning. Denial of Service attacks, route tracing, and other purposes. Additionally, Nping offers a special mode of operation called the "Echo Mode" probes change in transit, revealing the differences between the transmitted p end. See section "Echo Mode" for details. ', thHt\K3t4 usfers sea low the generated jacke ts'af d/tfle\f ac se :s reieivsd a: pie >t(Jsr ) The output from Nping is a list of the packets that are being sent and received. The level of detail depends on the options used. A typical Nping execution is shown in Example 1. The only Nping arguments used in this example are -c, to specify the number of times to target each host, --tcp to specify TCP Probe Mode, -p 80,433 to specify the target ports; and then the two target hostnames. Example 1, A representative Nping execution # nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com | Manual page nping(l) line 1 (press h for help or q to quit) Getting more info about targets? > Services scanning - fingerprinting and service banners > Get info about running services > Versions of services > Operating system of a server and its possible version > Patches of a service or operating system > Enabled modules, internal service name, ... Service scanning with NMAP t@kali-vl). :-# nmap -A 192.168.99.10 Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-30 07:05 EST Nmap scan report for SIP_tQl (192.168.99.10) Host is up (0.0028s latency) . Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open tcpwrapped |_http-title: Sipura SPA Configuration MAC Address: 00:OE:08:DC:68:80 (Cisco Linksys) Device type: VoIP phone Running: Linksys embedded OS CPE: cpe:/h:linksys:spa901_l-line_ip_phone cpe:/h:linksys:spa921_l-line_ip_phone_with_l-port_ethernet cpe:/h:linksys:spa941_4-line_ip_phone_with_l-port_ethernet OS details: Linksys SPA901, SPA921, or SPA 941 SIP VoIP phone Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 2.83 ms SIP_tel (192.168.99.10) OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.42 seconds root(jjkali-vbox:-# |_ > nmap -A is very noisy and easy to discover scan > -sS - half-open scan, more stealthy Basic nmap options for scanning > --open - report only open ports of a target > -Pn - skip host discovery (if i.e. firewall drops ping) > TO-5 - aggressiveness of a scan 0-slowest, 5-insane > -sA/P/X/S/T/U/M/I/C - different scan types > -oA/G/X/N - output from nmap scan - good for import to msf -vbox:/usr/share/nmap/scripts# 1 |wc -1 ■ vbox:/us ■ 1 root ■ 1 root ■ 1 root • 1 root ■ 1 root ■ 1 root - 1 root - 1 root ■ 1 root ■ 1 root • 1 root - 1 root - 1 root ■ 1 root • 1 root - 1 root ■ 1 root - 1 root - 1 root ■ 1 root ■ 1 root - 1 root • 1 foot - 1 root - 1 root ■ 1 root ■ 1 root ■ 1 root - 1 root - 1 root - 1 root ■ 1 root ■vbox:/us root root root root root root root root root root root root root root root root root root root root root root root root root root r/share/nmap/s root 3809 Aug root 46084 Aug root 28215 Aug root 4890 Aug 3606 Aug 8320 Aug 12820 Aug 5271 iua 12546 Aug 1743 Aug 4789 Aug 8793 Aug 6863 Aug 5127 Aug root 64768 Aug root 4582 Aug 2423 Aug 14149 Aug 1557 Aug 5635 Aug 7342 Aug 5658 Aug 14815 Aug 1445 Aug 8596 Jun 7560 Aug 3807 Aug 15235 Aug 2051 Aug 8069 Aug 4220 Aug 6821 Aug r/share/nmap/s cripts# 1 Igrep -i -E "ssl|ssh|smb" 23 06:47 rmi-vuln-classloader.nse 23 06:47 smb-brute.nse 23 06:47 smb-check-vulns.nse 23 06:47 smb-enum-domains.nse 23 06:47 smb-enum-groups.nse 23 06:47 smb-enum-processes.nse 23 06:47 smb-enum-sessions.nse 23 06:47 smb-enum-shares.nse 23 06:47 smb-enum-users.nse 23 06:47 smb-flood.nse 23 06:47 smb-ls.nse 23 06:47 smb-mbenum.nse 23 06:47 smb-os-discovery.nse 23 06:47 smb-print-text.nse 23 06:47 smb-psexec.nse 23 06:47 smb-security-mode.nse 23 06:47 smb-server-stats.nse 23 06:47 smb-system-info.nse 23 06:47 smbv2-enabled.nse 23 06:47 smb-vuln-mslO-054.nse 23 06:47 smb-vuln-mslO-061.nse 23 06:47 ssh2-enum-algos.nse 23 06:47 ssh-hostkey.nse 23 06:47 sshvl.nse 30 14:33 ssl-ccs-injection.nse 23 06:47 ssl-cert.nse 23 06:47 ssl-date.nse 23 06:47 ssl-enum-ciphers .nse 23 06:47 ssl-google-cert-catalog.nse 23 06:47 ssl-heartbleed.nse 23 06:47 ssl-known-key.nse 23 06:47 sslv2.nse cripts* nmap --sc ript-help "ssl-heartbleed.nse" Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-30 12:43 EST ssl - heartbleed Categories: vuln safe ittp ://nmap .org/nsedoc/sc ripts/ssl -heartbleed .html Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160) . The code is based on the Python script ssltest.py authored by Jared Stafford (jspenguin@jspenguin.org) root@kali-vbox : /usr/share/nmap/scripts# | Usage of nmap scripts > Make sure you fully understand any script that you run! ;-) > nmap -sC - runs about 50 basic set of nmap scripts, but is very loud on the network... Getting information from SNMP > Commonly misconfigured service by admins > Great source of various information about your targets > Default public string; non-encrypted versions, open ports on fw > Tools in kali: SNMPenum, SNMPcheck, onesixtyone > You get a lot of info by sending just one packet! root@kali-vbox:/usr/share/nmap/scripts# snmpcheck -t 192.168.99.11 snmpcheck vl.8 - SNMP enumerator Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org) [*] Try to connect to 192.168.99.11 [*] Connected to 192.168.99.11 [*] Starting enumeration at 2014-11-30 13:13:29 [*] System information Hostname Desc ription Uptime system Uptime SNMP daemon Contact Location Motd DiskStation Linux DiskStation 2.6.32.12 #5004 Sat Nov 29 01:34:57 CST 2014 armv5teT 22 hours, 47:50.92 22 hours, 46:28.90 admin@diskstation Unknown [*] Devices information Status Description 1025 Network Running 1026 Network Running 1027 Network Down 1028 Network Running 1536 Disk Storage Unknown 1552 Disk Storage Unknown 1553 Disk Storage Unknown 1568 Disk Storage Unknown 1569 Disk Storage Unknown 1570 Disk Storage Unknown 3572 Coprocessor Unknown 768 Processor Unknown [*] Storage information network interface lo network interface ethO network interface sitO network interface tunO WDC WD20EARS-O0MVWB0 SCSI disk (/dev/sda) SCSI disk (/dev/sdb) RAID disk (/dev/mdO) RAID disk (/dev/mdl) RAID disk (/dev/md2) Guessing that there's a floating point co-processor CM [*1 Processes Total processes : Process type : 1 unknown, 2 operating system, 3 device driver, 4 application Process status : 1 running, 2 runnable, 3 not runnable, 4 invalid Process id 1 1004 10146 10209 1023 10235 1033 1043 10444 10758 11026 11042 d; daemon on; 11043 11045 11046 11063 11066 11067 11178 11260 11297 11349 11350 11351 11361 11366 11367 2784 3556 3581 3733 3738 3754 3776 3782 3918 5185 5209 5579 5612 6416 6602 Process name Process type Process status Process path init synoconfd photostationd dms synologarchd lighttpd udevd synonetd mysqld_safe mysqld php-fpm nginx master_process on; nginx php-fpm php-fpm httpd httpd httpd httpd httpd httpd synoindexwo rke r synoindexplugin synomediaparser postgres postgres synoindexscand synologrotated findhostd ntpd SYNO.Core.Secur SOliptables.sh SYNO.Core.Exter iptablestool httpd sshd synostoraged scemd hotplugd getty inetd nmbd /sbin/init /us r/syno/sbin/synoc onfd /usr/syno/bin/photostationd /var/packages/MediaServer/target/sbin/dms /us r/syno/sbin/synologa rend /var/packages/MediaServer/target/sbin/lighttpd udevd /usr/syno/sbin/synonetd /bin/sh /usr/bin/mysqld php-fpm: master process (/etc/php/php-fpm.conf) nginx: master process /usr/bin/nginx -g pid /run/nginx.pi nginx: worker process php-fpm: pool www php-fpm: pool www list -bin. httpd usr bin httpd /usr/bin/fcgi-/usr/bin'httpd /usr/bin/httpd /usr/bin/httpd /usr/syno/sbin/synoindexworkerd /usr/syno/sbin/synoindexplugind rATI /usr/syno/sbin/synomedieparserd postgres: postgres IneJuaseryert[local] idleL postgres: postgres phiiu [loravl iure^ - — — /usr/syno/sbin/synoindexscand /us r/syno/bin/synolog rotated /us r/syno/bin/findhostd /usr/sbin/ntpd ent ry . cgi_SYN0 .Core. Security .Firewall .Rules[ 1] .save_start /bin/sh entry.cgi_SYN0.Co re.ExternalDevice.Storage.USB[1].list /usr/syno/bin/iptablestool 'usr/bin.'httpd /usr/bin/sshd /usr/syno/sbin/synostoraged scemd /usr/syno/sbin/hotplugd /sbin/getty /usr/sbin/inetd /usr/bin/nmbd [*] Routing information Destination Next Hop g.e.e.e ig.0.0.0 10.0.0.2 192.168.99.1 10.0.0.2 0.0.0.0 0.0.0.0 255.255.255.0 255.255.255.255 [*] Listening TCP ports and connections Local Address Port Remote Address Port State 0 0 0 0 0 0 0 0 0 0 0 127 127 127 192.168 192.168 192.168 192.168 192.168 192.168 .0.0.0 .0.0.0 .0.0.0 .0.0.0 .0.0.0 .0.0.0 .0.0.0 .0.0.0 .0.0.0 .0.0.0 .0.0.0 .0.0.1 .0.0.1 .0.0.1 .99.11 .99.11 .99.11 .99.11 .99.11 .99.11 139 161 21 22 3306 445 49170 50061 50062 514 6690 1195 412 5432 3^960 514 6690 6690 6690 6690 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 192.168. 192.168. 192.168 192.168 192.168 192.168 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 0.0.0 99.11 99.11 .99.1 .99.1 .99.1 .99.1 514 37960 50050 51223 55239 61231 Listening Listening Listening Listening Listening Listening Listening Listening Listening Listening Listening Listening Listening Listening Established Established Established Established Established Established Metasploit - Swiss army knife for pentesting > Previous manual work done effectively from one framework > Great source of various information about your targets > Results of your activities are stored in a database > All configured (db, msf, web server) in Kali Linux Metasploit - Swiss army knife for pentesting > Workspaces for storing different project in msf > Metasploit can import result from nmap > Or you can run nmap directly from Metasploit! > db nmap with options you would use with standard nmap > Metasploit prompt accepts standard Linux commands u lil nmap - f Starting Nmap 6.47 ( http://nmap.org ) at 2614-12-88 15:54 EST : Nmap scan report for 192.168.99.11 : Host is up (0.00082s latency). : Not shown: 993 filtered ports : PORT STATE SERVICE VERSION : 21/tcp open ftp Synologv DiskStation NAS ftpd : | ssl-cert: Subject: commonName=l et/organizationName=Home/stateOrProvinceName=CZ/countryName=CZ : | Not valid before: 2014-04-19T13:20:35+00:00 : |_Not valid after: 2024-04-16T13:20:35+0O:00 : |_ssl-date: 2088-01-23T02:54:38+00:0O; +73y45d5h59m35s from local time. : 22/tcp open ssh OpenSSH 6.6p2-hpnl4v4 (protocol 2.0) : |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) : 80/tcp open http Apache httpd : |_http-generator: ERROR: Script execution failed (use -d to debug) : |_http-methods: No Allow or Public header in OPTIONS response (status code 302) : |_http-title: Did not follow redirect to http://192.168.99.11:5000/ : 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME) : 443/tcp open ssl/http Apache httpd : |_http-generator: ERROR: Script execution failed (use -d to debug) : |_http-methods: No Allow or Public header in OPTIONS response (status code 302) : |_http-title: Did not follow redirect to https://192.168.99.11:5001/ : j ssl-cert: Subject: commonName-i :/organizationName=Home/stateOrProvinceName=CZ/countryName=CZ : j Not valid before: 2014-04-19T13:20:35+U0:O0 : |_Not valid after: 2024-04-16T13:20:35+00:O0 : 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME) : 5001/tcp open ssl/http Apache httpd : |_http-generator: ERROR: Script execution failed (use -d to debug) : |_http-methods: No Allow or Public header in OPTIONS response (status code 301) : |~http-title: Did not follow redirect to https://192.168.99.1l|wa^r^AcL[^j—j I I j I |^ I I II iyTT : j ssl-cert: Subject: commonName=h /organizationName=Home/stateOrProvinceName=CZ/countryName=CZ : j Not valid before: 2014-04-19T13:20:35+OO:O0 : |_Not valid after: 2024-04-16T13:20:35+0O:O0 : MAC Address: 00:11:32:0B:A0:B4 (Synology Incorporated) : Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port : Device type: storage-misc[general purpose : Running: LaCie Linux 2.6.X, Linux 2.6.X msf > vulns [*] Time: 2014-10-23 11:01:06 UTC Vuln: host=37.187.134.197 name=0penSSL Heartbeat (Heartbleed) Information Leak refs usg auxj^-i_iary/SCanner/ss\/openss\_heartb\eed msf auxiliary(opensslheartbleed) > show options Module options (auxiliary/scanner/ssl/openssl_heartbleed): Name Current Setting Required Desc ription DUMPFILTER no Pattern to filter leaked memory before storing MAX KEYTRIES 50 yes Max t ries to dump key RESPONSE TIMEOUT 10 yes Number of seconds to wait for a server response RHOSTS 192.168 . 99 .11 yes The target address range or CIDR identifier RPORT 5601 yes The target port STATUS EVERY 5 yes How many retries until status THREADS 1 yes The number of concurrent threads TLS CALLBACK None yes Protocol to use, "None" to use raw TLS sockets I ! accepted TLS VERSION 1.0 yes TLS/SSL version to use (accepted: SSLv3, 1.0, 1 .1, 1.2) Auxiliary action: Name Description SCAN Check hosts for vulnerability msf auxiliary(opensslheartbleed) > set RHOSTS 192.168.99.11 RHOSTS => 192.168.99.11 msf auxiliary(openssl_heartbleed) > set RPORT 5001 RPORT => 5001 msf auxiliary(openssl_heartbleed) > set ACTION set ACTION DUMP set ACTION KEYS set ACTION SCAN msf auxiliary(open^«,l heartbleed) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(opensslheartbleed) > | MM msf > info auxiliary/scanner/ssl/openssl_heartbleed Name: OpenSSL Heartbeat (Heartbleed) Information Leak Module: auxiliary/scanner/ssl/openssl_heart bleed License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2014-04-07 Provided by: Neel MGhta Riku Antti Matti Jared Stafford FiloSottile Christian Mehlmauer wvu Juan vazquez Sebastiano Di Paola Tom Sellers j J a rmoc Ben Buchanan herself Available actions: Name Description DUMP Dump memory contents KEYS Recover private keys from memory SCAN Check hosts for vulnerability Basic options: Name Current Setting Required Description DUMPFILTER MAX_KEYTRIES RESPONSE_TIMEOUT RHOSTS RPORT STATUS_EVERY THREADS TLS_CALLBACK 0P3, FTP, POSTGRES) TLS VERSION Pattern to filter leaked memory before storing Max tries to dump key rVJ f—\ |~| ll PI PI PVTI IH"^ Number of seconds to wait for a server response/ fl \ I ThG target address range or CIDR identifiers \j R \\ I—, | | I—, | | \ I V_ Jl / How many retries until status The number of concurrent threads Protocol to use, "None" to use raw TLS sockets (accepted: None, SMTP, IMAP, JABBER, P TLS/SSL version to use (accepted: SSLv3, .0, 1.1, 1.2) Desc ription: This module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable. The module supports several CVCommon Vulnerability Scoring System Version 2 Calculator - CVE-2014-0160 This page shows the components of the CVSS score for example and allows you to refine the CVSS base score. Please read the CVSS standards guide to are computed in sequence such that the Base Score is used to calculate the Temporal Score and the Temporal Score is used to calculate the Environmei Base Scores Temporal Environmental Overall CVSS Base Score 10.0 > c > c > H 10.0 - 8.0 - 6.0 - - 4.0 - I 2.0 - 0.0 - M. Base Impact Exploitability Temporal Environmental Modified Impact Overall 5 Impact Subscore 2.9 Exploitability Subscore 10 CVSS Temporal Score Not Defined CVSS Environmental Score Not Defined Modified Impact Subscore Not Defined Overall CVSS Score 5 Show Equations CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N) Base Score Metrics Exploitability Metrics Access Vector (AV)* Local (AV:L) Adjacent Network (AV:A) Impact Metrics Confidentiality Impact (C)* Network (AV;N) None (C:N) Partial (C:P) Complete (CC) High (AC:H) Medium (ACM) | low (AC:! ) Authentication (Au)* Multiple (Au:M) Single (Au:S) None (Au:N) Integrity Impact (I)' None (I:N) None (A:N) Partial (I:P) Complete (I:C) Availability Impact (A)* Partial (A:P) Complete (A:C) All base metrics are required to generate a base score. auxiliary/scanner/ssl/openssl_hQartbleQd 2Q14-04-Ö7 normal OpenSSL Heartbeat (Heartbleed) Information Leak auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal OpenSSL Heartbeat (Heartbleed) Client Memory Exposure Pentest reporting - general guidelines > Scope of the pentest (what/when/why/how/who) > What is scanned, what is the goal, what is excluded, ... > For each discovered vulnerability > Discuss risk, impact, attacker's skill, affected hosts > Provide description/evidence, recommendation and references Useful pointers > OWASP testing guide - https://www.owasp.Org/images/5/52/OWASP Testing Guide v4.pdf > OWASP reporting guide - https://www.owasp.org/index.php/Reporting - Certified Ethical Hacker (CEH) certification Thx...