237. Steganography Tools (OBJ 5.3)
In this lesson, we’re going to talk about steganography tools. Now, steganography tools are going to be used to hide and conceal information, communication and activity in plain sight. Now remember, steganography is not a form of encryption, but it is a way of hiding data inside of plain sight, such as putting it as extra bits inside of a file that you only can see if you actually know where to look. When I talk about steganography tools, this includes tools like OpenStego, Steghide, Snow, Coagula, Sonic Visualizer, TinEye, Metagoofil and online SSL checkers. Now, the first one we have is known as OpenStego. OpenStego is a free steganography solution, that’s used to conduct data hiding within a file and watermarking of files with invisible signatures, to detect unauthorized file copying. You can use this graphical user-based program to hide data inside of other files. For instance, you could see here, there is the message file and there is the cover file, and then there’s the output file.
The message file would be the secret message you want to hide, the cover file is the file you want to hide it inside of, and the output file is what ends up coming at the end. Now, in this particular tool of OpenStego, they do have the ability for you to encrypt the contents as it’s being put into the file. But remember, steganography by itself is not encryption, there is a distinction between the two. This tool happens to provide both steganography and encryption of the data that’s being hidden. Second, we have Steghide. Steghide is an open-source steganography tool that’s used to conceal a payload by compressing, concealing and encrypting it’s data, in an image or audio file. Steghide again, uses a graphical user interface to make this really easy for you. You simply click on the embed tab, you put in the cover file, the embed file, which is the thing you want to hide, and then you create an output file. If you’d like to, you can also use encryption as shown in the bottom of the screen. The other person who wants to get the information from you, would then take your file, load it back into Steghide, and go to the extract tab where they would put in the information and be able to pull that file back out. Third, we have Snow. Snow is a command-line steganography tool, that conceals a payload within the white space of an ASKII formatted text file in plain text, or, again, in encrypted format. Now, when you’re using a tool like Snow, you’re going to be able to go and conceal your messages in a text file. Really, the big difference between these different steganography tools is where are you hiding the data? Are you hiding it inside of a text file like Snow? Are you doing it inside of an image or audio file, like OpenStego? Or are you using some other form of hiding inside these files? And this brings us to our fourth option, which is Coagula. Now, Coagula is an image synthesizer tool that can be used to create a sound file from a given image. So if I have a picture that I want to hide, I can actually put it through this tool and it will then create an audio file. If I sent you that audio file, it would just sound like noise. But if you loaded it up into a tool that has a visual spectrum analyzer, you’d be able to see what that image contained. In this example, you can see that the music file, that WAV file that was loaded, now contains the image inside of it’s spectrum output, and the image contain the word Wikipedia.
This allows you to simply create an image file with a secret password or phrase or text, and then you could put it through Coagula and it will create that WAV file for you that would actually play on an audio player. But unless you look at it using a visualization tool, you’ll never see that secret word, which again is why it’s steganography and hiding in plain sight. Fifth, we have Sonic Visualizer. Now, Sonic visualizer is an open-source application for viewing and analyzing the contents of music audio files. So where you could use something like Coagula to hide your data inside the WAV file, you can use a tool like Sonic Visualizer to read that data back out of that WAV file. For example, here on the screen, you can see I’m using Sonic Visualizer to pull out the word, in this case, steganography, that was hidden inside of an audio WAV file. Sixth, we have TinEye. TinEye is a website that can be used to conduct reverse image searches using image recognition. Let me give you an example of this. Let’s say for instance you wanted to take a picture and find out where all the places that picture has been. Well, you can do that using a reverse image search. For example, if I took my picture that I use on my website, I can go and use a reverse image search and see every place that is using that same image on the internet. Now notice, you’re seeing not just the exact image, but things that are fairly close.
As you can see, it’s my standard posing image with my logo, Dion Training, that I searched for up top and it found 22 results, and many of them have a different format, but it’s still me in that particular position. And this is common, because I use that same picture as the base of all of my course images, and that’s where it’s finding it across the internet. This same tool can be used during your reconnaissance, or if you’re trying to determine where a particular file came from that contained a hidden message using steganography. For example, maybe I found a picture, and inside of that had some secret information that was leaving our network. Well, I can use a reverse image search to see where did that picture get posted. It may have been posted on one of our employees Facebook accounts, in which case that employee may now become a suspect of trying to exfiltrate our data out of our system, using that steganography technique. Seventh, we have Metagoofil. Metagoofil is a Python-based tool that can search for metadata from public documents located on a target’s website. Now, why is Metagoofil being listed here as part of steganography? Well, it’s being listed here, because metadata is a form of steganography, it’s data about the file that is contained in the file, and you can’t see it unless you know where to look, such as in the information or properties of that particular file. And so, a lot of times people will hide data inside of the metadata. And Metagoofil is a great tool to use during your reconnaissance phase, to gather lots of good information about the systems and networks and people inside of the metadata of publicly posted files. Things like PDFs, PowerPoints, Excel spreadsheets, Word documents and more, that might be on your target organization’s website. Eighth, we have the online SSL checkers. Now, an online SSL checker is a web application that can be used to test the validity, strength and security of an SSL or TLS digital certificate for a given web server.
Now, I don’t know why CompTIA puts this inside the steganography tool section, I really don’t. To me, this fits better in miscellaneous, but that’s where it’s listed on the objectives, so I’m covering it in this lesson. Now, when I talk about an online SSL checker, that would be something like the website SSL Labs. If you go to SSL Labs and type in the domain name like diontraining.com, it will come back with a report, telling you exactly what cipher suites are supported and which ones are preferred. In the case of our website, you can see the ones on top that are in green, are the ones that our server prefers, but we will allow you to downgrade to the lower, less secure versions that are considered weak in orange, if you’d like to use those when you connect to our site. We will not allow you to go all the way down to something like SSL, because SSL is too weak and we don’t want to allow that on our site. But we would allow something like TLS using RSA with AES 128 with a GCM SHA256 hash. Even though this is considered weak, it’s strong enough for the purposes in our website, because we’re not taking any sensitive information on the main diontraining.com domain, and instead we push you to a more secure server when we do the checkout process and people are buying things from us. Again, that being said, I have no idea why CompTIA decided to list this under the steganography tools, because it’s an encryption thing and not a steganography thing. But maybe they were thinking, “Steganography and encryption go hand in hand, “so we’ll put them together.” But really, it should be in the miscellaneous section.
238. Debugging (OBJ 5.3)
In this lesson, we’re going to cover debugging tools. Now, debugging tools are used to decompile executables and observe their behavior. When we’re talking about debugging tools, this is things like OllyDbg, Immunity Debugger, GDB, WinDbg, IDA, Covenant and SearchSploit. First, we have OllyDbg, OllyDbg is a Linux debugger that can be used to analyze binary code found in 32-bit windows applications. OllyDbg is useful for taking binary code and analyzing it, if we don’t have access to the source code. That is we can take it from the ones and zeros back down into something that looks like assembly language, so that we can read it and understand it. This is useful for reverse engineering malware as well as trying to develop custom exploits based on some binaries that we may find in the wild. Second, we have the Immunity Debugger, Immunity Debugger is a debugger built specifically for penetration testers to write exploits, analyze malware and reverse engineer binary files using Python scripts and APIs. The main difference between the Immunity Debugger and OllyDbg, is that the Immunity Debugger also supports a Python API plugin that allows us to execute Python code from within this debugger. And that allows penetration testers to work quicker.
If you’re a penetration tester who does a lot of custom coding you’re are really going to love using the Immunity Debugger. Third, we have GDB or the GNU Debugger. This is an open-source cross-platform debugger for Unix, Windows, and MacOS. Now GDB or the GNU Debugger supports Ada, C, C++, Objective-C, Pascal, Fortran, Go, Java and many other programming languages. However, because it is a text-based program that works inside the Linux console. It’s not incredibly user friendly even though supports so many languages and therefore most penetration testers prefer to use other debuggers like the Immunity Debugger instead. Fourth, we have WinDbg. Now WinDbg is a free debugging tool that’s distributed by Microsoft for use in the Windows operating system. Now, WinDbg or Windows Debugger can be used to debug kernel-mode and user-mode code, analyze crash dumps and examine the CPU registers, while the code is executing on a Windows machine. Fifth, we have IDA the Interactive Disassembler. Now IDA is a commercial disassembler and debugging tool that generates assembly language source code from machine-executable code. IDA is a really powerful tool and it can generate assembly language code from the executable file, just like a lot of the other debuggers can.
But it also has a nice graphical user interface that can be used to actually map out the program and which function calls go to which place, in order for you to better understand them. IDA can also read executables from multiple different operating systems, even though IDA itself is used inside of a Windows environment. For these reasons, a lot of people in the industry really love IDA. If you’re going to be going into custom exploit making, Immunity Debugger is probably better for that purpose, but if you’re going to be tearing apart malware to better understand how it works, there is really nothing like IDA. It’s awesome and it’s truly powerful. Sixth, we have Covenant. Covenant is an open-source .NET framework with a focus on penetration testing that also has a development and debugging component. Now, this is another one where I kind of question where CompTIA put this. Covenant is really a .NET command and control framework, that’s written in C#. And it aims to highlight the attack surface of .NET code and to make the use of offensive .NET tradecraft even easier for penetration testers. Covenant is going to be used to serve as a collaborative command and control platform for red teamers. And it is an ASP.NET Core, cross-platform application that includes web-based interfaces that allow for multiple user collaboration. All of that said it does have a debugger built into it but it really has a lot more capabilities than that. The debugger is just one small piece of Covenant. Really, Covenant is more of a miscellaneous tool that would fit better as an exploitation framework. Now, that said CompTIA does listed under debuggers. So that’s what you should know for the exam and consider Covenant to be a debugger.
Seventh, our final tool we’re going to talk about in debuggers, it’s SearchSploit and this is another one where it doesn’t quite cleanly fit into the category. SearchSploit is a tool used to find exploits that are available in the Exploit Database. So you may be wondering if this is a research tool, why is it showing up under debuggers? Well, we’re covering SearchSploits in this lesson because CompTIA lesson under the debugger section of the tools in the objectives. And because we often use SearchSploit while we’re reading different malware in a debugger, so that we can understand what a particular piece of exploit code might actually be doing for that particular piece of malware. So I could see it from that perspective, where we use this hand in hand with debuggers but it itself is not a debugger tool. Instead it is a tool that’s used to research exploit code in the central database. By having a SearchSploit installed on your system though, you can download a copy of that database locally so you can work offline when you’re doing your debugging and be able to have access to that research database.
239. Miscellaneous Tools (OBJ 5.3)
In this lesson, we’re going to talk about miscellaneous tools. Now, miscellaneous tools are those tools that don’t fit well into any one of the other categories. For example, this includes tools like SearchSploit, PowerSploit, Responder, Impacket Tools, Empire, MetaSploit, mitm6, CrackMapExec, TruffleHog and Censys. First, we’re going to talk about SearchSploit. SearchSploit is a tool used to find exploits available in the Exploit database. Now you might be wondering why should I use SearchSploit when I can just go into the Exploit databases website? Well, really the main benefit of using SearchSploit is that you can carry an offline copy of the entire database with you. So you can do offline searches through a local repository on your Kali Linux machine while you’re on the go during an engagement. This is really the main benefit of using a tool like SearchSploit locally as opposed to going directly to the database. Second, we have PowerSploit. Now PowerSploit is a collection of PowerShell modules that create an extensive exploitation framework for use against Windows systems. PowerSploit is considered a post-exploitation framework.
So if we attack from our Kali machine and we break into a Windows system they’re going to have PowerShell installed and possibly even enabled. Using PowerSploit, we can now use these scripts to further exploit that machine gathering information like other usernames on the system, other machines on the network, and other access to domain controllers and things like that. Using PowerSploit is a great way to use scripts that use the native PowerShell capability and therefore live off the land. Third, we have Responder. Responder is a command-line tool in Kali Linux that’s used to poison NetBIOS, LLMNR, and MDNS name resolution requests.
If we’ve broken into a Windows network for example, it’s going to be using LLMNR, NetBIOS or the DNS server locally for name resolution inside of the network. Responder is a poisoner for these protocols. It can listen up for when people call out for a certain machine like the active directory server and then poison that DNS call or that name server call. And when this happens, instead of going to the DNS server or the active directory server, they’re now going to come to us instead. This us to conduct an on path attack and enables us to perform other attacks and exploits against those victims. Fourth, we have Impacket Tools.
Impacket Tools are an open-source collection of Python classes for working with network protocols and the exploitation of Windows systems. When you use Impacket Tools, you’re going to be able to do things like remote execution, attacking Kerberos, finding Windows secrets, conducting Men in The Middle attacks or on path attacks, interacting with WMI or taking advantage of SMB and MSRPC protocols.
Now, if you’re trying to create your own exploits inside of Python, Impacket it is a really useful tool inside your collection because it focuses on the very low level program access to the different functions and services that are used by the network that you’re going to need to call as you’re using your different tools. And so that’s really where Impacket shines. It’s this collection of tools that you can use in conjunction with custom made tools that you’re going to build yourself on top of it. Fifth, we have Empire. Empire is a C2 framework that uses PowerShell for common post-exploitation tasks on Windows systems, and it uses Python for post-exploitation tasks on Linux systems.
Now Empire is a post-exploitation framework and it allows us to take advantage of the fact that once we’ve broken into an initial machine, we can then use Python or PowerShell scripts to do further damage, start spreading ourself across the network, create persistence and move laterally. In Empire version 2.4, for example, there are 282 different modules or types of attacks that will we can use as well as having listeners, agents, and other things that can be run to a connected machine and have it call back to us so we can then exploit it further. Another common post-exploitation tool is known as MetaSploit. MetaSploit is a multipurpose computer security and penetration testing framework that uses modularized attacks against known software vulnerabilities to exploit systems. Now the MetaSploit framework is one tool that you will most often use in your engagements.
This open source framework provides scanners, payloads, exploits, reverse shells, and all sorts of other wonderful and nasty tools at our disposal. In fact, there are over 1700 exploits currently loaded in today’s MetaSploit framework. In addition to 986 auxiliaries, which includes scanners, enumeration tools, and fingerprinting tools. There’s even 300 post-exploitation tools and 507 different payloads that we can use once we’ve exploited the machines. Now, although you’re not going to be asked in detail about how to use the MetaSploit framework for the exam you should really spend some time getting familiar with the framework and how to use it, if you’re going to be a good penetration tester. By the end of this class, you won’t be an expert in using the MetaSploit framework, but you should have spent at least a little time in our demonstrations to introduce you to some of the basic functionality so you could speak intelligently about it. I definitely recommend that you take a course dedicated to the use of the MetaSploit framework to learn all the ins and outs of this powerful penetration testing tool if you want be a penetration tester in the real world. Seventh, mitm6.
Mitm6 stands for Man in The Middle version six, but in the CompTIA exam we refer to Man in The Middle attacks as an on path attack. Now, mitm6 is an IPv6 DNS hijacking tool that attempts to set the malicious actor as the DNS server by replying to the DHCPv6 messages and then redirecting the victim to another malicious host. Now mitm6 is a open testing tool that’s going to allow us to exploit the default configuration of Windows systems to take over the default DNS server. It does this by replying to DHCPv6 messages and provides victims with a link local IPv6 address and setting up the attacker’s host as the default DNS server. As the DNS server, mitm6 is going to selectively reply to DNS queries of the attacker’s choosing, and then redirect the victim’s traffic to the attacker’s machine instead of over to the legitimate server. This is really taking over the part of an path attack and allowing us to be in the middle of the communication and send data where we want it to go. Eighth, we have CrackMapExec. CrackMapExec is a post-exploitation tool that’s used to identify vulnerabilities in active directory environments.
CrackMapExec is a post-exploitation tool that helps automate assessing the security of large active directory networks. It’s built with stealth in mind and it allows us to follow the concepts of Living off the Land by abusing the built-in active directory features and protocols to achieve the functionality that we want and allowing us to evade most endpoint detection or endpoint protection devices like IPSs and IDSs. Now this tool was designed for use by penetration testers during their offensive red teaming engagements but many blue teamers also like to use this tool to assess account privileges, find possible misconfigurations and simulate attack scenarios. Ninth, we have TruffleHog. TruffleHog is a Git secret search tool that automatically crawls through a repository, looking for accidental commits of secrets to the Git repository. Now, TruffleHog is going to be used to run behind the scenes and scan the environment for secrets like private keys and credentials the organization may have accidentally left in their code or repositories.
TruffleHog works by going through the entire commit history of each and every branch and checking each diff from each commit and then checking for secrets using both regex and entropy checks. TruffleHog is then run automatically in the background and it will send notifications to you using tools like Slack if it finds something interesting that you need to look at. Tenth we have Censys. Censys is a website search engine that’s used for finding hosts and networks across the internet with data about their configuration. Censys is an attack surface analysis tool that work similar to Shodan in that it tries to find exposed systems that are online, the services running on those systems, the ports that are open on those systems, and any vulnerable software versions that may exist on those systems.
Now, when you’re dealing with Censys, it’s really a web-based search platform for assessing attack surfaces for internet connected devices. This tool can be used to not only identify internet connected assets and the internet of Things or industrial internet of Things but also internet connected industrial control systems and platforms. Censys connects its data sets and comprehensive certificate database to different cloud providers. And it uses this to uncover hidden links between different assets, surface unknown assets and risks and provide comprehensive inventories of things it sees online. Threat analyst teams can then buy this as a service feed into their organization and use it as part of their threat intelligence and threat management.
