233. Remote Access Tools (OBJ 5.3)
In this lesson, we are going to discuss the remote access tools that are covered by the exam. Now, when we talk about remote access tools, we’re talking about tools that are used to give an attacker full control of a workstation, server, or other device remotely over the internet. This includes tools like SSH, Netcat, Ncat and ProxyChains. First, we have SSH, also known as Secure Shell. Secure Shell is a command line tool that’s used to remotely control another workstation over a LAN or WAN. Most commonly, we use Secure Shell to be able to connect to servers and remotely control them as system administrators but attackers can also use this to their advantage too. Secure Shell works a lot like Telnet and it’s used as a remote command to control channel. As opposed to Telnet, however, SSH does allow us to use encryption which in turn allows us to create a secure channel between our victim that we’re going to be controlling and our client that we’re attacking it from.
Now, when we connect to it from our Kali Linux machine, this is going to create an encrypted tunnel so that network defenders can’t see the information that we’re sending back and forth between the victimized server and our attacking client, this makes us a bit stealthier and harder to detect. The second tool we have is known as Netcat, written as nc. Netcat is a command-line utility that’s used to read from or write to a TCP, UDP, or Unix domain socket network connection. Netcat is a very versatile tool, many people call it the Swiss army knife of hacking because it can do so many different things for you. This tool can sweep a network to figure out what machines it contains. It can do enumeration, it can do banner grabbing, it can do fingerprinting, and it can do so much more. One of the best features of Netcat though, is that it allows us to have a command-line remote access tool that gives us the ability to read, write, redirect, and encrypt data over the network. For instance, we can use Netcat to set up a listener on one machine and then connect to it from our target machine, creating what we call a bind shell. Another option is setting up a reverse shell, in which the victim machine calls back to us and we have a listener set up on our attack machine, and that way we can answer the call and take remote control of their machine.
Now, the third one we have is what’s known as Ncat. Ncat is actually an improved version of Netcat that was created by the makers of Nmap, which can also act as a proxy, launch executables, transfer files, and encrypt all the communications to and from the victim machine. For example, you can conduct banner grabbing using Ncat by entering Ncat dash C and the domain name and port 80. This will connect to the website over port 80 and then you can issue the get HTTP 1.0 command to see what is returned from that server. In this case, we can see that we have a successful connection to the server because it responded with a code 200, telling us it was a successful connection. We can also see that this server is running Apache version 2.2.2 on a Linux Fedora based operating system. Now this is just how we use it to do banner grabbing but we can also use Ncat to do remote command and control just like we can with Netcat. The fourth tool we have is known as ProxyChains. ProxyChains is a command-line tool that enables penetration testers to master identity and/or their source IP address by sending messages through proxy servers or other intermediaries.
ProxyChains is often used on the attacking machine as we conduct our different assessments, and it’s going to force all of our TCP connections across our entire Kali Linux system to run through a given proxy. This proxy may go through the onion router known as Tor or it may go through a web proxy like HTTP or a SOCKS4 or SOCKS5 proxy. By setting this up, we can force all of our traffic to go through that proxy and into the target machine. When we’re setting up this proxy, we can also chain them together going through multiple different proxies which is why we call this ProxyChains. We might set up three or four or five or six different proxies and different hops as we go through and make our way from our system over to the system that we’re attacking, that way we can hide where we’re coming from, and therefore, it makes it more difficult for defenders to backtrack all those different hops and figure out where we’re coming from during our attacks.
234. Credential Testing Tools (OBJ 5.3)
In this lesson, we’re going to talk about credential testing tools. Now credential testing tools are used to crack passwords and other authentication tokens to gain access to a user’s account on a given system or network. These tools include things like Hashcat, Medusa, Hydra, CeWL, John the Ripper, Cain, MimiKatz, Patator, DirBuster and w3af. First, we have Hashcat. Hashcat is a modern password and hash cracking tool that supports the use of GPUs for parallel processing when conducting dictionary, brute force and hybrid attacks. Now, Hashcat is one of the fastest password recovery tools available. The major benefit of Hashcat is that it can rely on our CPU, or it can use the faster graphics processing unit to perform the mathematical functions needed to crack a password or hash. For this reason, some hackers and pen testers, will create specialized password cracking servers or systems that have multiple graphical processing units because they can then offload those processes from the systems processor onto the faster graphics processor and Hashcat is ideal for doing this.
Second, we have Medusa. Medusa is a parallel brute force tool that’s going to be used against network logins to attack services that support remote authentication. This program supports attacking network logins and numerous remote authentication protocols, like our login, SSH, Telenet, HTTP, and many others. Medusa also supports multi-threaded operations, and therefore it can attempt a lot of logins simultaneously instead of doing them sequentially one-by-one and this helps speed up the process too. The third one we have is Hydra. Hydra is a parallel brute force tool that’s similar to Medusa, but it also supports a password inspect module to only attempt passwords from a dictionary that meets minimum password requirements for a given system. Now Hydra tries to connect to the server using different usernames and passwords over and over again until it finds the right one. As you see in this example, it’s using the same login every single time but it’s trying a different password among the 27 different options and soit’ll eventually find the right one. Of course, 27 passwords is going to go by pretty quickly, but a list of millions of passwords could take a lot longer. The main detraction from a program like Hydra is that defenders are going to see our attempts in their server logs if we’re working in an online environment. If you see something that looks like this output, it means that somebody is trying to brute force their way into your server, and they’re probably using a tool like Hydra. Fourth, we have CeWL. CeWL is used to generate a word list based on automatic crawling of a website to collect words and metadata from that site.
Now, basically CeWL is going to be used to search a target website, crawl through it for however long it needs to, and in as much depth as we tell it to, and then it’s going to search for any keywords that it finds on that website. So, if I’m pen testing a certain company, we might want to go to their website and crawl it for every word between five and 10 letters long. CeWL will be able to do that and make a word list based on all those words that it finds, and then we can try to use those words and variations of those words to conduct a dictionary or hybrid attack against the passwords. This essentially is creating a dictionary list for us, that’s customized to that particular target instead of trying to go and start from scratch with a brute force attack. Fifth, we have John the Ripper. John the Ripper is a cross platform password cracking tool that supports a large set of hashes as well as dictionary and brute force attacks. Now, John the Ripper is one of the most famous password crackers in use today. This tool runs on Linux, Unix, OSX, Windows and many others. Having been around for over 10 to 15 years, it’s been updated many, many times over the years and supports both dictionary and brute force attacks. Sixth, Cain. Cain also known as Cane enable, is a legacy password cracking and hash dumping tool that can conduct network sniffing to identify hashes that may be vulnerable to cracking.
Cain is a windows based tool and it has a lot of the same functions as John the Ripper but it’s a little bit easier to use because it provides you with a graphical user interface. Seventh, Mimikatz. Mimikatz is a tool that gathers credentials by extracting key elements from the memory of a system such as cleartax passwords, hashes, and pin codes. Mimikatz is a critical tool if you’re going against a windows based environment. Because Mimi cats can be used for past-the-hash, pass-the-ticket and golden ticket attacks. Mimikatz is a cracker that targets window systems to extract the plain text password, the hashes, the pin codes, or other carbos ticketing information from the machine’s memory. Because this tool is so powerful, you’re going to need to learn this one if you’re going to be going up against any kind of Window systems, environment or domain controllers during your engagements. It isn’t really a standalone program most of the time, but instead you’re usually going to find it embedded in some other kind of exploitation framework such as (indistinct) or Empire. Eighth, Patator. Patator is a multipurpose brute force tool that supports several different methods including ftp, ssh, smb, vnc and zip password cracking. Now Patator is similar to Medusa and hydro, so, why do we need to have yet another tool that does basically the same thing? Well, it’s because as a penetration tester, you’re going to find certain tools that you like or that perform better than other tools for certain action. Everyone has their favorites and some people prefer Patator over Medusa or Hydra. For the exam, just realize they’re not going to give you multiple password cracking tools in the same question and ask you the differences between them. Instead, you just need to understand which tools can perform password cracking to answer the tool use case questions on the exam, so if you see Patator, remember it’s another password cracking tool.
Ninth, we have DirBuster. DirBuster is a brute force tool that’s run against a web application or server to identify unlisted directories and filed names that may be accessed. Because DirBuster is a graphical user interface based tool, it’s really easy to use. You simply need to type in the website address and the target URL, and it’s going to start crawling through that. And it’s going to either use a wordless or randomly guessing using a brute force type of attack until it finds everything or times out. This can take a while, but it is a great way to find files and folders that aren’t supposed to be publicly viewable but are as long as you know what the address is. 10th, w3af or the web application attack and Audit Framework. Now the web application attack and audit framework is a tool used to identify and exploit a large set of web-based vulnerabilities, like SQL injection and cross site scripting. W3af or the web application attack and audit framework is used for finding web application vulnerabilities, and you can think of this like NEIS or open Vos or NITO, but specifically for web applications. Now, the reason that (indistinct) includes it in the credential testing tool section of the objective, is that it has an embedded plugin that can perform brute force authentication to try and crack or bypass authentication credentials in a given web application. But we could have just as easily put this in the scanning tool section. For the exam though, remember that w3af is considered a password cracking type of tool for web application specifically.
235. Web Application Tools (OBJ 5.3)
In this lesson, we’re going to discuss Web Application Tools that you need to know for the exam. Web Application Tools are going to be used to identify and exploit vulnerabilities in deployed web applications. This includes tools like OWASP ZAP, Burp Suite and GoBuster. Now, the first one we have is OWASP ZAP, which for the Zed Attack Proxy. OWASP ZAP is an open source web application security scanner and attack proxy that’s used in both automated and manual testing and identification of vulnerabilities in web applications. OWASP ZAP is going to be used as a proxy and this allows us to connect our web browser through the ZAP proxy and then out to the victim server. This allows us to manipulate the traffic that’s running through that proxy, even HTTPS sessions, so we can change session IDs, parameters and other variables when conducting attacks against that web server. Second, we have Burp Suite. Now, Burp Suite is another attack proxy and this is used for interception, inspection and modification of raw traffic that’s passing through it during automated testing, manual modification of requests and passive analysis of web applications. Now, Burp Suite is the most famous web proxy and one of the most commonly used ones by penetration testers. Burp Suite is going to allow for the interception, inspection and modification of the raw traffic that’s passing through it, much like the ZAP proxy will. However, Burp Suite is heavily used by pen testers, because we can now modify all the different factors that we previously mentioned, including things like session keys and passwords, hidden forms and other things like that, much more easily than we can using the OWASP ZAP tool. For this reason, pen testers really love Burp Suite.
Third, we have GoBuster. GoBuster is a brute-force dictionary, file and DNS identification tool that’s used to identify unlisted resources in a web application. This is a text-based tool that comes installed by default inside of Kali Linux. To use it, you’re simply going to use the command, gobuster. GoBuster essentially lets you scan a website or web application to identify any hidden directories, files or sub domains that may exist. GoBuster is used heavily in the reconnaissance and enumeration phases of your attack and it’s one of those tools that helps you gather additional information about things that may be hiding in plain sight.
236. Cloud Tools (OBJ 5.3)
In this lesson, we are going to talk about cloud tools. Now, cloud tools are used to identify and exploit vulnerabilities in software as a service, platform as a service, and infrastructure as a service cloud-based services. This includes tools like ScoutSuite, CloudBrute, Pacu, and Cloud Custodian. Now, ScoutSuite is the first one we’re going to cover. ScoutSuite is an open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms, such as AWS, Microsoft Azure, and Google Cloud, by collecting data using different API calls. Now, when you’re thinking about a tool like ScoutSuite, remember this is a suite of cloud-based tools, and it can be used across multiple different clouds. A lot of the other tools we’re going to talk about are focused on a single cloud, such as AWS, but with ScoutSuite, you can use it across most of the major cloud providers, including AWS, Microsoft Azure, and Google Cloud. Second, we have CloudBrute. CloudBrute is used to find a target’s infrastructure, files, and apps across the top cloud service providers, including Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, and Linode.
Just like ScoutSuite, CloudBrute is one that can work across multiple clouds. And in fact, it covers even more cloud types than does ScoutSuite. CloudBrute is a great tool for finding a lot of information across these multiple clouds, and it is used from the command line. If you want to use CloudBrute, you’ll type in CloudBrute, and then the type of search you want to do, whether it’s based on a domain, a keyword, a word list, a certain type of cloud configuration provider, or things like that. Third, we have Pacu. Now, Pacu is an exploitation framework that’s used to assess the security configuration of an Amazon Web Services or AWS account. Now, this includes several different modules, so the team can then attempt exploits against things like obtaining API keys and gaining control of different VM instances. Pacu focuses on the post-compromise phase of an assessment.
So your team can drill down into the system and escalate their privileges, launch additional attacks, install backdoors. I like to think about Pacu as a tool that’s used heavily in the attack and exploit phase of your engagement, similar to something like Metasploit, where it’s a framework of lots of different tools with lots of different exploits that you can use. Fourth, we have Cloud Custodian. Cloud Custodian is an open-source cloud security, governance, and management tool designed to help administrators create policies based on different resource types.
Now, Cloud Custodian is a stateless rules engine that’s going to be used to manage AWS environments by validating and enforcing the environment against a set of standards. Really, when you think about Cloud Custodian, I want you to remember the fact that this is about governance and policy inside of the AWS environment. And that’s really the main focus of using a tool like Cloud Custodian.