Preamble
This book proposes a potential framework for a burgeoning penetration tester to adopt when looking to perform their first attack. Engebretson suggests four steps: Reconnaissance, Scanning, Exploitation, and Maintaining Access. His book then goes into each of the steps, covering some potential tools and methods for performing them.
Now this book is by no means a one-stop shop for hacking (although arguably, no book can expected to be). Engebretson is upfront in saying “this book is aimed at people who are new to the world of hacking and penetration testing, for those with little or no previous experience, for those who are frustrated by their inability to see the big picture…, or for those looking to expand their knowledge of offensive security”. That said, there is still plenty of interesting things that are covered.
Highlights & Takeaways
Reconnaissance
While it was nice to see a refresher on Google Dorks, the tool I thought was particularly interesting was MetaGooFil. MetaGooFil is a metadata extraction tool that can scour the internet looking for documents that belong to a particular target. I thought it was neat that there was an automated method for pulling a bunch of stuff on a target.
Scanning
While I knew that nmap was capable of performing both TCP and UDP scans, it was nice to learn about Xmas and Null scans. In brief, these types of scans exploit the RFC standard (assuming that the target is RFC compliant) in order to detect open ports. Note: Engebretson notes that Windows OS typically is not RFC compliant, but UNIX/Linux systems are.
In an xmas scan, the attacker sends a packet with the FIN, PSH, and URG packet flags set to “on”. In addition, it has the SYN, ACK, and RST flags set to “off”. Per the RFC standard, if a target receives a packet without a SYN, ACK, or RST flag, the a closed port will respond with a RST packet of its own; conversely, an open port will ignore such a packet. This allows an attacker to determine whether a port is open/closed without ever initiating a 3-way-handshake connection with the target.
In a null scan, the attacker sends a packet with no flags set to “on”. Just like with the Xmas scan, a closed port responds with a RST packet and an open port will ignore the packet.
These scans can help bypass simple filters and Access Control Lists that block inbound SYN packets.
Exploitation
One interesting thing that was mentioned was how various security measures can be bypassed on a Windows OS if the attacker had physical access to the machine with said OS. Engebreston first brings up an example when seeking to dump password hashes from a SAM file. The SAM file is locked when the OS boots up; while the OS is running, an attacker shouldn’t have access to open/copy the SAM file. Additionally, the SAM file is encrypted. If an attacker were to boot the physical machine to an alternate OS, they would be able to bypass the Windows SAM lock (the OS never starts, therefore the lock never engages). Once the alternate OS is loaded, the attacker just needs to mount the local hard drive and navigate to Windows/system32/config in order to samdump2 the hashes. Because the alternate OS was - presumably - booted from portable media (such as USB or CD), no files we generate will be persistent (everything will be gone when we reboot).
Another option available is actually resetting the passwords altogether; rather than using samdump2 to dump password hashes for offline cracking, the attacker can use the chntpw tool to overwrite existing passwords.
There was also an interesting note on compromising switches; the primary advantage of using a switch (as opposed to a hub) is that traffic from one networked endpoint will get routed directly to its intended destination, rather than being broadcast to every target on the network. The switches do this by memorizing MAC addresses from connected clients. However, if an attacker overloads the switch with too many MAC addresses, the switch may either “fail open” or “fail close”. A switch that will “fail open” can no longer determine which MAC address to send the traffic to and therefore broadcasts the traffic to all addresses (like a hub). A switch that will “fail close” stops routing traffic altogether (creating a Denial of Service condition). If we get a “fail open” condition, we can listen to traffic being passed over the wire. To support the MAC address overload, we can use the macof tool.
Maintaining Access
I’ve used netcat before to get a shell on a target. However, one of my frustrations with it has always been that terminating the shell always closes the listening port. This book showed me that - for Windows - there is an option for making the listener persistent (-L).
Finally, the biggest takeaway that Engebreston showed me was the use of rootkits. Rootkits give an attacker the ability to hide files, processes, and programs as if they were never installed on the target. They often are able to avoid detection because they operate at such a low level (inside the kernel). As post-exploitation malware, rootkits are a phenomenal (and dangerous) way of achieving persistence.