Advanced Penetration Testing

Hacking the World’s Most Secure Networks

 

 

Wil Allsopp

 

 

 

 

 

Advanced Penetration Testing: Hacking the Worlds’s Most Secure Networks

Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com

Copyright © 2017 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-36768-0
ISBN: 978-1-119-36771-0 (ebk)
ISBN: 978-1-119-36766-6 (ebk)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2017931255

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

This work is dedicated to the memory of Sir Terry Pratchett, OBE (1948–2015), for teaching me comedy and satire and the wisdom to know the difference.

Do you not know that a man is not dead while his name is still spoken?

—Going Postal

About the Author

Wil Allsopp always liked taking things apart. Sometimes he was able to put them back together again. He wandered into penetration testing like some people wander into bars (another activity close to his heart). A chance encounter with a like-minded individual in the 't Stadscafe Zaltbommel in 1999 led to him resigning his IBM software development contract and forming his first company, called Tigerteam Security NV, which for reasons lost to time was incorporated in Curaçao. At least that's how he remembers it.

Nearly 20 years later, he's still breaking things, with the important difference that some of the most prestigious companies in the world are paying him to do so.

He lives in The Netherlands with his wife and a large menagerie of cats, dogs, chickens, and a toad named Malcolm.

About the Technical Editor

Elias Bachaalany has been a computer programmer and a software reverse engineer for more than 14 years. Elias is also the co-author of two books published by Wiley, Practical Reverse Engineering and The Antivirus Hacker's Handbook, and the author of Batchography: The Art of Batch Files Programming. He worked with various technologies and programming languages such as web programming, database programming, and Windows device drivers programming (boot loaders and minimal operating systems), and wrote .NET and managed code, wrote scripts, assessed software protections, and wrote reverse engineering and desktop security tools.

Credits

  1. Project Editor
  2. Adaobi Obi Tulton
  3. Technical Editor
  4. Elias Bachaalany
  5. Production Editor
  6. Barath Kumar Rajasekaran
  7. Copy Editor
  8. Kezia Endsley
  9. Manager of Content Development & Assembly
  10. Mary Beth Wakefield
  11. Production Manager
  12. Kathleen Wisor
  13. Marketing Manager
  14. Carrie Sherrill
  15. Professional Technology & Strategy Director
  16. Barry Pruett
  17. Business Manager
  18. Amy Knies
  19. Executive Editor
  20. Jim Minatel
  21. Project Coordinator, Cover
  22. Brent Savage
  23. Proofreader
  24. Nancy Bell
  25. Indexer
  26. Johnna VanHoose Dinse
  27. Cover Designer
  28. Wiley
  29. Cover Image
  30. Bullet © Ejla/istock.com; card © zlisjak/istock.com; torn edges © hudiemm/istock.com

Acknowledgments

Far too many to name (and they know who they are), but special thanks to Tim and Courtney without whom this work would not be possible in its current format; D. Kerry Davies, for being the yardstick by which the rest of are measured; GCHQ, for their helpful suggestions; and last but not least, Gary McGath, one of the most underrated musicians of our age.

Also, thanks to every pen tester, hacker, and security evangelist I've toiled with over the years. You are this book.

Foreword

Ever since I came first into contact with computers, the security (or insecurity if you want) of these very powerful systems has intrigued me. Living in The Netherlands, I was fortunate to be able to use a Philips P9200 system of the Technical University Eindhoven by dialing into it using a 300 baud modem when I attended high school to learn programming in ALGOL 60. Personal computers were virtually nonexistent at that time and computer systems like this cost a small fortune. Using a modem to connect to a system that you could program to solve lots of computational problems was already something magical, but gaining access to the machine itself became something of a quest. Since it was located on the university's campus, this was not that problematic. At that time, security was not really a big issue, and walking onto the premises as a young scholar asking for a tour of the facility was all it took.

There I learned that the P9200 was just a “small mini computer.” The real deal was the Burroughs B7700 mainframe. It took some snooping around to find the dial-in number for that system, and a lot of persuading to get an account on that system, but eventually I succeeded. I did not hack the system at that time, but social engineering (being able to tell a persuading enough story to gain trust and/or information) proved to be a very valuable trait to have.

While I studied computing science, we eventually had to use Prime computers. Let me just state that computer security at that time was not considered important. The number of bugs in the operating system (PrimeOS) were numerous, and even fixes for security problems we uncovered would contain new security bugs. At that time, information security really caught my attention and it has not faded since. Just before graduating, I started working for a small company called Positronika, developing systems for the nuclear industry, ranging from a small pocket dosimeter (based on a 6502 processor) to large automated measurement systems. They used PDP-11 systems for fuel rods after they were used in a nuclear reactor. I not only learned the importance of safety, but also learned how to write secure computer code. You just could not risk the various rod handling routines and drop some very highly radioactive material. It could be fatal.

In 1989, I came into contact with an underground and obscure publication called Hack-Tic, which was a so-called hacker magazine published irregularly. It opened up a whole new world to me. I suddenly noticed there were many more people interested in IT security and they published lots of other information as well. This included information on the phone system, which the Dutch telecom provider—at that time called PTT—was not too pleased with (they still did not understand that security through obscurity is a fundamentally bad idea!), as well as information about picking locks, to name but a few tricks. Discussing subjects like these with like-minded people eventually grew to monthly gatherings, random parties, and hacker events (in hotels and on campgrounds—always including high-speed Internet connectivity). Nowadays, there are even hacker spaces where people not only are building or breaking software, but are using all kinds of modern technology in new ways. So what once started as an underground movement is currently very well connected in modern society.

Fast forward to the year 2000. After several positions at various companies, eventually resulting in a lead role in a pentest group at one of the largest computer centers in The Netherlands, two friends and I decided we would start a business ourselves. The Internet bubble had just busted and we thought it a good idea to start a consultancy company focusing on information security. Luckily, we always had the credo, “If we do not succeed, we should at least be able to tell ourselves we had a blast.” Little did we know.

The first assignment came when I was visiting Scandinavia and I had to draft a contract for this penetration test in a room of a hotel I walked by while talking to the prospect and used their fax machine to send it out. We did not even have a name for this venture of ours.

Even though the bubble busted and various Internet companies were forced to close shop, we continued, eventually choosing the name Madison Gurkha since we could not find any domain name containing something that came close to the service we tried to provide. The advantages of this exotic name were numerous, ranging from the fact you had to spell it at least three times (so it would really be burned into the brains of those who had to deal with us), to the assumption people made (and still make) that we were an international conglomerate with an HQ somewhere outside of The Netherlands.

At that time we had no need for a sales and marketing department. Our personal network was expanding and there were not many businesses providing our services, so verbal recommendations brought the opportunities to our door. At that time we basically only did vulnerability assessments of web applications and ICT infrastructures, and some pentesting when our customers were really interested in the impact of real-live attacks on their ICT environments. Since there were hardly any tools available, we had to create our own exploits and scripts to make our lives easier. Exploits were sometimes also published on the Internet (mostly in newsgroups), but you had to compile them yourself and they always contained some flaw so that script kiddies who just compiled the thing, but did not understand the actual problem, could not use the code (you had to make some minor modifications to be able to use it). At the time of this writing, tools like Metasploit and Nessus are widely available and popular TV shows like Mr. Robot show these tools at work.

But IT security advances. It always has been, and will probably always be, a precarious balance between attacks and defenses. The available tools will be enhanced and become more powerful and more advanced tools will become available. But only in the hands of a well-educated specialist will they add real value. That person not only understands the benefits of the tools but also knows their limitations and how to interpret the results.

Wil Allsopp is one such specialist. I have been fortunate to work with Wil when he joined Madison Gurkha in 2006. At that time we were a couple of years old and expanding from the three-person start-up to the well-established dedicated IT security consultancy firm we are today. Wil helped us push the bounds of the security testing envelope even further and has done so ever since. He has always looked for new vulnerabilities and wants corporations and institutions to be aware of the latest threats. This book contains various valuable examples of those advanced threats.

When your organization not only is looking for a positive score on the “in control” checklist, but really wants to know if it is capable of withstanding the kind of very advanced attacks that currently take place on a global scale, you should read this book. Ensure that the company you hire to perform IT security assessments can actually execute attacks like these. Once again, Wil shows that a real IT security specialist not only does know how to use available tools, but is also able to think outside of the box and develop additional and advanced attacks when needed. Regular vulnerability scans are helpful to keep your infrastructure on par; actual penetration testing using advanced techniques like those described in this book will provide your organization with the needed insight on whether you are actually in control of your IT security or have been shutting your eyes to the real dangers out there while adding ticks to your checklists.

Amsterdam, October 5, 2016
Hans Van de Looy
Founder of Madison Gurkha BV

Introduction

There is an old yet erroneous belief that fortune favors the brave. Fortune has and always will favor the prepared. When your organization experiences a serious security incident (and it will), it's your level of preparedness based on the understanding of the inevitability of such an event that will guide a successful recovery. It doesn't matter if you're responsible for the security of a local community college or if you're the CISO of an international bank—this fact will always remain true.

To quote Howard Ruff, “It wasn't raining when Noah built the ark.”

The first step to being prepared is being aware.

Coming Full Circle

There has always been the impression that you have to patch your systems and secure your networks because hackers are scanning vast address ranges looking for victims who haven't done these things and they'll take whatever vulnerable systems they can get. In a sense that's true—there have always been those who are satisfied with low hanging fruit. It was true back in the 80s as well—war dialing on the PSTN and such attacks are usually trivial to guard against if you know what you're up against. However, if you are specifically targeted by someone with time and resources, you have a problem of an altogether different magnitude. Put simply, gaining access to corporate systems by patiently targeting the users was usually the best way to go in the 80s and it's usually the best way now. However, the security industry, like any other, is constantly looking to sell “new” products and services with different names and to do that, a buzzword is required. The one that stuck was advanced persistent threat.

Advanced Persistent Threat (APT)

What differentiates an APT from a more traditional intrusion is that it is strongly goal-oriented. The attacker is looking for something (proprietary data for example) and is prepared to be as patient as is necessary to acquire it. While I don't recommend breaking complex processes down into simple lists or flowcharts, all APTs generally have the following characteristics:

I am a penetration tester by trade (a professional “hacker,” if you like) working for every possible kind of client and market vertical over the best part of two decades. This book speaks from that narrative. I want to show how conventional penetration testing is next to useless when attempting to protect organizations against a targeted APT attack. Only by going beyond the stagnant nature of contemporary penetration testing methodologies can this hope to be achieved. Potential adversaries today include organized crime and nation states—it's worth pointing out that foreign intelligence agencies (of any nation) are heavily invested in industrial espionage, and not just against hostile nations.

Next Generation Technology

There are numerous technologies available that claim to be able to prevent APTs, capable of blocking unknown malware. Some of these products are not bad and do indeed add another layer of security by providing some degree of behavioral analysis—for example catching a Metasploit callback by looking at what the .exe is doing rather than relying on an antivirus signature, which can be easily bypassed. However, that is trivial to model simply because the behavior of such tooling is very well understood. A genuine APT will be carried out by skilled threat actors capable of developing their own tools with a very strong understanding of how modern intrusion detection and prevention systems work. Thus, in describing modeling techniques, I make heavy use of the SSH protocol as it solves a lot of problems while masking activity from monitoring systems and at the same time gives the appearance of legitimate traffic. It is wise at this point to reflect on what an APT isn't and why. I've seen a number of organizations, commercial and otherwise, giving out advice and selling services based on their own flawed understanding of the nature of Advanced Persistent Threat. The following article published in InfoWorld is as good a place as any to rebut some myths I saw in a discussion online recently:

“Hackers”

The demographic of what we consider to be “hackers” has changed beyond all recognition so this introduction will be the last time I use that word. It is outdated and outmoded and the connotations it conjures up are completely inaccurate. I prefer the more neutral terms, “attacker” or “external actor,” because as you will learn, there are far worse things out there than teenage anarchists with too much time on their hands. The “Golden Age” of hacking whose anti-heroes were Mark Abene, Kevin Poulsen, Kevin Mitnick, and others was an incredibly innocent time compared to today, where the reality is stranger than the cyberpunk fiction of the 1980s that inspired so many hackers of the day.

It's been a busy couple of years. The Snowden revelations shocked the world and directly led to wide-sweeping changes in the tech industry's attitude toward security. In 2013, I had a conversation with a client that would have been unthinkable prior to the leaks—a conversation where the NSA was the villain they wanted to be protected against. This was a globally respected Fortune 500 company, not the mob. Intellectual property theft is on the rise and increasing in scale. In my line of work I am in a unique position to say with certainty that the attacks you hear about are just the ones that are leaked to the media. They are the tip of the iceberg compared to the stuff that goes unreported. I see it on a daily basis. Unfortunately for the wider tech industry, breaking in to target systems (and I'd include penetration testing here, when it's conducted properly) is a lot easier than keeping systems secure from attack. The difference between secure and vulnerable is as simple as one individual in a company of thousands making one small mistake.

Forget Everything You Think You Know About Penetration Testing

Nothing is really secure. If there is one lesson to take away then it should be that—a determined attacker is always going to be at an advantage, and (with very few exceptions) the larger an enterprise gets, the more insecure it becomes. There's more to monitor, more points of ingress and egress, boundaries between business units become blurred, and naturally there are more users. Of course, that doesn't mean you should give up hope, but the concept of “security through compliance” is not enough.

Despite the obvious benefits of this kind of holistic or open-scope testing, it is rarely performed in the real world, at least in comparison to traditional penetration testing. The reason for this is twofold: it is perceived to be more expensive (it isn't) and organizations rarely want that level of scrutiny. They want to do just enough to comply with their security policies and their legal statutory requirements. You hear terms like HIPAA-, SOX-, or PCI-compliant bandied about by vendors as though they mean something, but they exist only to keep lawyers happy and well paid and it is an easy package to sell. You can be PCI compliant and be vulnerable as hell. Ask T.J. Maxx or Sony: it took the former years to recover brand confidence; the vast amount of data leaked means that the damage to the latter is still being assessed. Suffice it to say that a compliance mentality is harmful to your security. I'm really driving the point home here because I want to make sure it is fully understood. Compliance with a security policy and being secure are not the same thing.

How This Book Is Organized

In this book, as stated, I'm going to examine APT modeling in the real world, but I'm also going to go a little further than that. I will present a working APT testing framework and in each chapter will add another layer of functionality as needed to solve different problems and apply the result to the target environments in discussion. In doing so, I will be completely code-agnostic where possible; however, a solid knowledge of programming is essential as you will be required to create your own tools—sometimes in languages you may be unfamiliar with.

Each of the chapters of this book discusses my experience of APT modeling against specific industries. As such, each chapter introduces new concepts, new ideas, and lessons to take away. I believe it's valuable to break this work down by industry as environments, attitudes to security, and indeed the competence of those performing network defense varies widely across different sectors. If you are a pen tester, you will learn something. If you have the unenviable task of keeping intruders out of your organization's system, you will learn things that will keep you up at night but also show you how to build more resilient defenses.

Rather than approach the subject matter as a dry technical manual, each chapter follows a similar format—the context of a wide range of separate industries will be the background against which new technologies, attacks, and themes are explored. This includes not only successful vectors of attack but such vital concepts as privilege escalation, avoiding malware detection, situation awareness, lateral movement, and many more skills that are critical to a successful understanding of both APT and how to model it. The goal is not simply to provide a collection of code and scripts, although many examples are given, but to encourage a broad and organic understanding of the problems and their solutions so that the readers will think about them in new ways and be able to confidently develop their own tools.

So, without further ado—on with the show.