SECURITY 561 Immersive Hands-On Hacking Techniques The right security training for your staff, at the right time, in the right location.Copyright © 2015, The SANS Insitute. All Fights reserved. The entire contents ofthis publication are the property ofthe SANS Institue IMPORTANT-READ CAREFULLY: This Courseware License Agreement ("CLA") is legal agreement between you (either an individual oe single entity; henceforth User) and the SANS Institue fo the personal, non-transferable use oF this courseware. User agrees thatthe CLA isthe complete and exclusive statement of agreement between The SANS Institute and you and tha this CLA, supersedes any orl or writen proposal agreement or other communication relating to the subject mater ofthis CLA. Ifany provision ofthis CLA is declared unenforceable in any jurisdiction, then such provision shall he deemed 0 be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may sceompany this courseware. BY ACCEPTING THIS COURSEWARE YOU AGREE TO BE BOUND BY THE TERMS OF THIS CLA. IF YOU DO NOT AGREE YOU MAY RETURN IT TO THE SANS INSTITUTE FOR A PULL REFUND, IF APPLICABLE, The SANS Institute hereby grants User a non-exclusive license to use the material contained in this courseware subject tothe terms of this agreement, User may not copy, reproduce, re-publish, distribute, display, modify ot create derivative works based upon al or any portion ofthis publicetion in any medium whether printed, electtonic or ‘otherwise, forany purpose without the express written consent ofthe SANS Institute, ‘Additionally, user may not sell, eat, lease, trade, or otherwise transfer the courseware in “any way, shape, or form without the express written consent ofthe SANS Institue The SANS Institute reserves the right to terminate the above lease at any time. Upon termination ofthe lease, user is obligated to rtum all materials covered by the lease Within a reasonable amount of time. SANS acknowledges that any and all software andor tools presented inthis courseware are the sole property oftheir respective trademarkiregisteredlcopyright owners, AirDrop, Aiort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TY, App Nap, Back to My Mac, Boot Camp, Cocoa, FaceTime,FileVault, Finder. PireWire, FireWire logo, iCal. iChat, iLie, Mac, Message, iPad, iPad Air, Pad Mini, Phone, iPhoto, iPod, Pod classic, iPod shuffle, Pod nano, Pod touch, Tunes, Tunes lopo, iWork, Keychain, Keynote, Mac, Mac Logo, Maclook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari Sit Spaces, Sptlight, Thece's an app for tha, Time Capsule, Time Machine, Touch ID, “Xcode, Xserve, Ap Store, and iCloud are registered trademarks of Apple Ine, SeeS61_A10.01Immersive Hands-on Hacking Techniques SANS Security 561 (©2015 cour ct, A Rs Reseed Woloune to SANS Secutiy SECS6I Hand-on Ser Prcitoner. ln his couse you wl build skis inthe ‘Reury analysis ef moder, ml ted computing toe nln Lins an Windows hos assess incr assessment and psnenaon testing web aplication vulnerable) atalysi. mabie device pesraton ‘Sting and advance! penton testing ences. With amma amount okie and xin ano ncice nave network eovronment esaned esenbl todays mde, comple networks the Hanon Suny Prcitioner course wl help develop and retain impo sil eed abe a ake infomation security analyst your ogaization, Lethe hs sen ave, youve pon pst tesco, gions ho “Carcass ecm Sct your tights end eck qussone, Tu hurr dure te ight however tbtaheeconversain of line daring ek oats of el nthe intrest fine an appa the Ashe course lead elsome any comments, qstions or siggesions prtining othe course mati nba Weight Jestigecuterack com om. couneac comm Update 10‘This corse wouldnothave ben posible wiht te tremendous comibatlons an expertise ofthe flowing seri Ee showdis Katherine Webb Cahoon ithe Wako yan Sehiano Ti Moin Tom Hess Yor Kio te Marsal ay DavisonSEC561: Hands-on Course * Extensive hands-on course content Based on your feedback: hands-on is the most enjoyable way to learn, and the best way to retain new skills * Each section starts with a short "skills you | need to know” module co Followed immediately by hands-on missions —Supported by your instructor, —_ Ta’s, and our hint system! "as" SECS6ts Handean Course ‘The SECS6| Hanon Security Practoner ours designed a meet he requests we ea frm any students “nore bandon based on your feedback. cur own experene in ental be ai complex eins sil we uno thao eneries ae the est wy to etn kl and enjoyable way fet This use hfs the dru weve received fra sourc Ua spends the vast maori of the day in hands-on ach a ofthe couse nso seins oe ering andthe aReroon. Each seton Sut wth sho "kill {younesd iknow" modele wing atonal eure and Jemonsraton help stents build ski. tmmeditly Folowing sch mode, pvisipute start hand om misono riforce theme content, and to develop more ‘Dphotaied and alae ile ha can be aciewnd tag corn et sen Inte design of th cous, wears for 20% lecture ine and 0% andson ine. Depending on your instr, he aoa gustone sd rng he etre, ad the very Yee the aon ie might Be Tah mors res itso mins), Dang the Rande-on eerie, tds are supported tog the ‘nse csp nthe couse ook, he nce, ching stants, and our ool seve hit tem,NetWars Platform — Nijsiijilts ‘+ Throughout the course we'll use the NetWars platform for questions and support ~ Designed by the Counter Hack team *+ Questions will challenge you, and guide you to the answer + Each question is given a point value, 1-15 ~ Points are used to show you that you nave made progress = Not competitive until day 6 + No point loss for 1 incorrect answer ~ You lose 1 point for each additional incorrect answer, up t03 points total “Toughoutthe cours wel athe NetWare platform to guide ad support you trough the ab eerie ‘Nears desig nd write y the Counter Hack er, creng a anand excing ering envieorven for techni conte “The NaWars pat i designed io guide you though the lean proces by sking you to sole problems, ‘uiding yout the answer witht orate size, eid y Jour au sklevel Each question youl ‘se rom the Net servers designed to challenge you ina diferent way consent ung valble sills mae youn more erect norton esr art ‘All questns dered by the NrWars pom ae gven a noi value_ Your pits wil same ‘troubiouthe coarse demuste yur press a yourl”. Dag 1-3 we nape where ou can Wark ith peso eofegscoTatoratvsy, ut other pripats will x knew yur sare Only ony 6 wil he ‘Nears server a dpi ascore for compete imeretion it cs Depending on he complesiy ofthe quesion the urston will ave point ve between | and 18 points. {you anivera quesion income cnoe, you do os any poi bu continuing ana incarecy wil $abaact one pat reach ico ans, upto 3 pots Air lesingthre pots you wor ose ay ‘inal pois, to don ake tha san invitation fo etfs amowers! Aa fr aise if yo ae ill Stuckona peoblen. Optional, you cn etive a sorctrd to ease your progres throughout the cours tha can be eine sour employer or et for youra cords (©2015 Cane taskNetWars Sample Questions Neate Sample Quetons Afr lang in tothe NeWars serve, you wil have aces the questions lating wo ech seston ofthe cours, ‘As you anne queons conse. oter loves cnaing mre cul questions wil aso bec avai ‘ucts deliver by te NeWors serra inte frm of mukilecoice rae! Mag. On he eff his tgs basample question sking you To ey the version ofthe Apache Coyote constr on he Tomeat ‘Shree Simply chose he cet answer and cick “Submit Answers" To eft answer is ote. Cn the it of his page ag question, where you ae asked to evant he obs exeason resource on he ‘rer After dentine the server detory inthe rbot eatin resource that doesnot exis enter the vale in {Re supplied tex bx and sce the “Convert 0 SHAT tink. The et Yale wil be replaced witha SHAT fag ‘alu! ccking"Stbit Answers" wil sub the ag to ho server to see Ft answer is coret, Optionally, you ‘ncaa the IAI hash yours or seme questions may fecude a SHAT fla the answer, when the SHAT Ths sisted a ane, shouldnt be SHAL hashed agin) 122015 Coame Hac 5Building Hands-on Skills * Throughout the course, you will build skills in four ways: = Instructor-led lecture at the beginning of each module ~ Hands-on exercises making up the majority of each ‘module's content ~ Classroom assistance with an instructor or TA = Hints available in the scoring server ‘+ Hints are a valuable self-guided instruction tool + You are encouraged to take hints where needed = No loss of points for taking hints! “Tioughoutth SECS6I cous, you wil ui sls in our die wy * Insc less Te mornings aferoon of sch dari wl ste with stra eeu oii tools and wctugues nated forthe nays empl te day's raion. + Hande-onserises: The mat ofeach dl of contr wil be delivered though ans-on eerie sng the Nears engine for question and answer validation, + Clusioom asisunce: You a encouraged w ask qusons aytine Hroushout he couse, wheter luring eae oF te hao exer pron ofthe module. You eexve expe aistanee Foe ‘entrar or aching ssinats (TA) in arg cae. Scoring sv hin: ach question nthe searing server sso has hint ail owe ou in your The its aviabethrough the soring server ae a sgifcat portion of the SECS6I course materi Inplemenod 1 be used a SlF-gide into oo. Parians ith extensive exerene inte tpi beng dsc may chose to challenge theseles significa by ansneing guess without he Seo IS. arian who te ne the pis wil leverage fe hii much ore evesivel,oreentaly bul skills with assists rom bits om the struct recht). Participant shoulda eto the hint pte hough the course, Ey hits wil provide ite it of xine; rin wl give you al he stpeneesary to find the answer tthe role you are tengo Solve. Note tht th Ht tem des uote your cereUsing Hints ‘Questions are designe to challenge you and help you learn the course material, Use hints to help you on your path to bulding your shi! CCorect answers reveal all he Fins for your review. Using Hla ‘The sample question seen on previous pase is expanded on this page er licking he "Reqs He” Hak {vg rveling wo hin, The at int provides ite adn information to use nsolving the question the ‘Second cones o expand the Fs into provi anal ntermatin, ‘voushou the suse, we te hint ayn oip you ca your pth fo building new ll Note at, aft “nsweriny a qucstn sucess the hin wl be esd So, £0 you can vate your acne agsost ihe phe steps we expected yout tae © 208 Caer HaeCourse Outline © 561.1: Security Platform Analysis e 561.2: Enterprise Security Assessment © 561.3: Web Application Assessment ¢ 561.4: Mobile Device and Application Analysis © 561.5: Advanced Penetration Testing * 561.6: Capture the Flag Challenge Course Ovtine Day 1 Security Pam Anais Day I ars wth ear ectniques ocala Lins and Wisows systems, viding he scrote pla tn iden sath could be sed o manipulate or explitthe system, Day 2: Eneprise Security Assessnent ay 2 stars wth ok at network enumerate, scanning and esessmentetniges, followed by hos compromise tvough exploitation passvord guesing, and eter common atch eee Day 3: Web Applioon Assesment ay 3 stats with bok tthe fundanetl il Forthe analysis of web applications, Followed quick by ‘platen and meniulaton opportuni, concling with sevanced cemnigus fr eb appeaionWgic Day 4: Maile Device Appliction Anas Day 4 ocuses onthe tack and exploitation of mobile devices an mile eve dat, aking at eommon “ppivtonvuleriis, mobile device backup data harvesting, poxe-xpliion dt abering, nd mabe eve “yptogrphicexplotationelniges. Dey 5: Advanced Peevtin Testing ‘On dey Swell exine advanced topics npenttontetng inching complex compres pirating, {tchniguen explain of crpopaphicaerabliey and eictve cent side explain emigre in Day 6 conchides witha ands on CF challenge, ppg al he ils youve laren endy-competiive civnme 1 1 215 camer iskSystem Requirements sss" @ * Laptop with Windows 7/8.1 OS X with a Windows Guest is OK + VMware for virtual machine access + 2 GB RAM minimum, 20 GB disk space, Ethernet interface, DVD drive © Course materials includes a customized version of Ubuntu Workstation = You will use a combination of Linux and Windows for exercises Start copying the lab files to your hard drive now! To comple the come exerci, you ead to have laptop that meets the requried onthe score webs fe SECSOT (hp ws cepseeS6. These atop requires arc also ead 10 You er ining up forthe cass. ‘out ned cues lp that an rn Windows Visa, Windows 7, oF Windows 8 fa many of the ous xeric Youll also need adiniative sccm th stem. Mac users wll beable tows Apple Farce a lang Windows ial mache is avaiable ‘Welt usea combiasioo of sh Window and Linus in his class, The Linge psa we se wil eu an installed spy af Vinton your os. Well spy the Linux vital machine, bar VMware’ cesing prevents rm tang VMware to student you doo aeady havea copy of VMware Werks, \Ustware Fusion or Mare Payer fst on your system youcanJoinloné ree cop af VMware Player from wis umsarecom Your lapop rust met a ef minimum hardware regrets fer exercises. Your stem needs have at leet 2 G8 oF RAN (GI eter) at eat 20 GR fee disk pace, an here ierface an DVD ve“Twowphout this cone, your role wll be that of an ineration technology scary specialist managing multiple responsibiies You wort fr Poussin, garing company, upping th nemeeking ad ts tal Ace dts of rtrk anise hardeing aang nd sourty assent of pane resource. Inled Inyo it of repens the raga suet sessment and penton etng of server and newer Your Position at GenuSight * Information technology security specialist ~ Supporting GenuSight and networking staff for hardening, auditing, and assessment of corporate resources * Tasked to validate security of all GenuSight system and network assets ~ Through vulnerability assessment and penetration testing + You are also responsible for guidance and support of all GenuSight subsidiaries, such as Pseudovision Siu Houshout te company PseoVision has ron neon ears nd as recently suited saver sbi companies inclading ReSight forme sompttor of Passion. While ReaSight continoeo wrk and develo x own ‘rods under Pseudo son organization, you maintain adest esponsbly ine theses a 5 Cur HakHands-on Security Platform Analysis SANS Security 561.1 andy-onSecuity Platform Analyst Having rshed wth our course into materi wel ein th course material wit ook at hands-on scorpion slsCourse Roadmap + Security Platform Analysis —~| * Enterprise Security \ & Eee Assessment = Windows Host and * Web Application Server Analysis Assessment * Mobile Device and Application Analysis + Advanced Penetration Testing + Capture the Flag Event Throughout the couse well we the course roman to show your ogres in the cure. Ted wel ok at seni platform analy isk stating with Lin host and sever esis in fe merning Inthe afracon wel n 1015 Cue HaeWhat You Need to Know: Linux Host Analysis * Popular server platform within many networks, widely preferred attack platform for many security analysts * Core commands are the same across many Linux distributions and Unix in general = "When in doubt, read the man page" * We will use a customized Ubuntu virtual machine variant for exercises For privilege escalation, compromised host pillaging, or identifying platform weaknesses: Essential Linux Skills, What You Need To Kaow: Linas Host Analysis nth section you wil ain solid understanding ofthe command tir interfceo te Linx ernment aed ‘tal ol tht wf in calating the sci of Lino ss, Having seve flaiy with Linux sens is ver elle sac the analysis of Linu systems can be apie oa Toa Lins workin, a Linus serve $ouhave compromised or Linas server you ae suing fr your organization ‘Well examine sew! Lina tos sl commands, roving examples of how they can ke apie fo esa securiy analysis These sore canands an tls re ulin tana Linon envionment, cenoly ‘lll through alton software repostares with OS-pecfi package managenen tos Despite the consistency of Linas cman, you il ikl disor stone wher comaman tin options are tot oiing inte nae yew expect Haviag sore fanart with reading the meal dosamenation or tools ‘itn the "non toleame’ serene, wl be equiv to orp some ofthe exerci in is ‘nora’ mir Adlon dsumenaion em he man coramand sponded onthe net page ‘nouhout the ous, we wl overage carters Linux vital machine base on he Ubu dstibuton fer trem execs, Tha Linicatem i cited a2 VMware vital machine llowing yoann Your rave operating ter and te Linux VM as Wel Maca ages ae i for he dscumenation of Unit envi inclain Lias The mar comand it ‘sed lookup command syst and opens For expt, te 1 command tas a Tt of valle oan. TO Tbohup te option valle withthe 2 cemana type this“There re 9 ize seston of man ee (-9), al of whic ar inched in the sandr Li sitions, Coramoniy. you wl be able eran "mat inane” to ge the manual page forte specified preyram nae ‘Mealy yoeaeh a specifi seco ofthe manuals by specie etn numbers The soon re sted below wih mest conmonly use Sots marked wih at str 1s progam ad commands 4 nvnaton on vie ils (ae srt) 5. tie fms Gunes 1. Miscllnsas toies {sion din ais thes commonly ei ocevl acest 9. Kemal documentation Foroxenple rita “wan tat” wil show you tbe section 1 documentation forthe st command However. sional manpage abo avilable econ 2 scat - display file or file eysten statue Soman 2 seat seat, Estat, Istat - get file status Alteraively. rain man with thea" rgument wil ste documentation forall he salable manual page “ (©2018 coumer okInvestigating the Linux File System Many hosts disclose interesting and sensitive content on the file system » Lots of content to investigate, start at these locations to narrow your search i tcc Sh = = = oe ar ee, Se gee | ee gen Be at ete Se Te RE ‘When ou hve ew acceso Lin hos trough a penetration ts, you shuld the explore she le system 19 ie the les nce walableto yu. Many sts wl eto teresting senstive conte the flesstem nad passwords, octets, images, source ods application execs, and more. Spend & lide explerine the Reston on Linux hess sing the "sand i ites (nore on sat wef he incomes ine, focsing ches and oer tector the system rot (hin = Core ser exsuabes, ch asthe shel an common commas ‘bia Sina to bin, bu for execu and lth ei oa vel aos for syst mantras and ‘ninstnie ts tev Systm devices an soe fils Everythi in Lin i reed le, inlined ives eh, ib oh CD hives (devedom), andthe sound system (evs) ‘et - Configuration ils including hve very inpartat is, pass (cnt user acount infor nd ado (cots hashed pase) ‘nome -Cortais the home ditectres for users, which int contin nes les sn personal seins root The ore decir for ors account iShares sy the executables ln and Sin ot Inllaton f owae packages go heres tothe Windows "rogram Fs etry ‘procs A vita lyse that provides proces sn kere infration tmp Temporay files re witen hn many ition of Lim th etry scleared upon reboot ine-User system escurcesthisinsudes shin and in which contin atonal executables fo rot and ws (Cespecively) tare boon th ese executbles Stored in the oertioned bin and sin ‘var-Files th change constant dorine operons, nluing log les tht re ed in aio (©2005 Comer adUsers and Groups + Allusers have a user ID and [Fae jecymaned primary group ID y = UIDIGIO 0's for root, <1000 for | ; Drivleged access a ~ A other users have UIDYGID les starting at 1000 ‘+ UID and primary GID stored in Jete/passwd “Tre os = Secondary group memberships in|. weyrom se retefroup ‘oon! ESRI seer juio) [Home Dvecton) jd (mat) ser and Groupe ‘Sino Unis, Linas designed lo ts inseption to pprt mip, independent ses Each wer on the ‘ystems asigneds uniueuser 1 (UID), wera, anda crestor (here he wa les an seings te Slored) tis poe for ml acount to ne the sme UID (rest commen occurs wih root secur), Bat {saiseowaged. Any secnant witha UID of Owl have fl administive acces othe sytem and wil hve {ulaccess othe le system. Thigh privilege eve should not be wed fr acral stom we, such ss Web browsing ad ema Root evel aces shouideny be used wher isexply ead o prevent seciity jeu from comply compromising the sysiem. There re wo cnands bi Linen top fine tis seeuriy model The comand short for abet wer allows ou to sich to athe account Ifo wrap § ee (other veernane Pasoword: (arter other username! p word When switching root ou ean amit te age seman. You wl ily wat toad he evicrment ‘arabes ofthe vor user as wel which eas be dene vit" oton, tae Password: [ecot's password) 6 ‘02013 Come ta“The sao command slows yout singe command as anther. 5 whom 5 tudo whoani Paseword: Lerter root's password) S whoamt “The seroma Lins syste ee inthe fans ile. The psd leas Sever elds, elimi tye colon chara shown on ti page. While he passwd Fl erties the dea top ee ws. {any Linas ystems wll wate eroup mashing the uremame othe wer) secondary sro memberships ae ‘mcd nth algo le the explo hs pgs the oh” wer aa UID of 100 (whi ‘opel te fis! UID grand to nonesyten aout cova Lin es). Te joe ey he troup ile fb inictes hats scendary group "oo aso rane totes se.File Ownership and Permissions ove /etelpasoed /etc/ohasoe + First character indicates file type, “d” for directory, standard file, I" for symbolic link + Nne characters for user, group, and other permissions = "a rwx xx x-x" Directory, allows owner to read, write and execute, group can read and execute, other can read and ereate 7 = rw- r=~ =--" File, allows owner read and virite, group can read, other has no access permissions + Numeric representation: r=4, w=2, = 750 = ewxz-x- 444 = ee. = 644 = ewer 600 = zw for Fle Ownership and Permissions Linu uses the pes of pemlsins cna le: ed we, ad exes. Read pemitsion allows the contents of is ‘oberead and tc contents of ores 1 ened. Wit permission allows the cote Mette md, ‘allows ers toa remove, and eae file in a deer neha even mith wre permission on fl, YOu ‘toot delete it witht wre persion onthe recto). Excete permission lla file to be exeseed 3 Progam orsbell zi and allows wort ores and aes fies in sry (nto a conte) ‘You can view the pemisons on es and rectores sing the ~L lowercase L) option with 1s (16-2). The fist caracter indicts ithe lesa regu le). decry (0, synbicinkowerease Lo ter ype of seca fle. The west nine characters neat the prison or thei, na sorsstet order. The fre 3 charts nda real), write (wand execute) for the ernment et thre forthe oof and he ast te fol eer ‘hes. A yphen ind tat te given persion is ne eon hat le deter fr the prea essions Persson fora ile or a decir can be represented in two ways: symbolic nd etal Symbolic representation shown wih “sser=s. = Ure the chm iit a change the permissions nspnbsio ode by speiying ay Combination of one: yes ase", rnp ao other" or nthing to spy toll ps, $ chmod o-r sonestte. cee Reove red (2) om ers (0) 3 chmod ugerw eometiie.ext ‘Na redwte (n8) permisons for ser and ou) 3 chaod gent semeflie.txe Read-only no exvue ot we 1) for aoup & ote (a>) You can so we the seal representation ost the orion, Reade 4, wits 2, an exe The tm of the sa itis the persion (og, read wte-4¥2°6, edlenes-241-3), 8 1 2015 Came tsSet UID/GID Files * The setuid and setaid flags on an executable changes permission behavior = Normally, executables run with the privilege of the user ~ Setuid/setgid executables run with the privilege of the owner/group + Mishandled setuid/setgid files create an opportunity to escalate privileges fosafan)* Spec nou Set UIDIGID Fits Iman to the adwritefvcctepeisions, fis can also hve setuid (te 1D) and sei (troup 1D) pemisions.Whea an exccuatle Mes the setulae. he prota exes wi the pension oF he ‘er isleadf the person ofthe logged-in ae, Silay slg propane exe wi he person of (he grup intend he daa proup of te logge in wer ‘Sedat les ae valuable on Uni sts to accommodate programmatic coma ioe grined pumisios fo specie proaras (such the Sudo rman, which feud rot, bt only ares oat or othe Parmision to wir band onthe prions defined in theses ile), Unfors, studs le so reste an apport typos the pasion enol on the Line syst awl Consider he example shown on this page. On on tr plat exploited during a pensation et, the Nap et scar wa asl bt wae modifi 9 cle te stnd ad seg bss shown nthe "Te =I" cut (Csrusesx"). Ths ithe ypical behavior of te Nmap executable and we Iter ered tha his change was ‘made by an ain ator tallow noetot wes to perform Np scans ht equi oat prvi ‘Te Nmap ity ances the abil to run custom caning crits writen inthe Lan seriping language, Ferofthe Lua lngaze alos th script cun arbiter programs om he filesystem using the ssjten"pogra’) syn. With ths koje, las Suazefrward escalate he loguedn user's een to gain access, shown on ths ese.