Pivoting to internal network via non-interactive shell

Adrian Furtuna8 Comments

ninja1During a recent penetration test we have experienced the situation where we’ve gained remote code execution with limited privileges to a web server and had to pivot to other hosts from the internal network.

For this, we had to find a reliable method to forward our traffic from our local machine to the internal host via the compromised server. This blog post describes how we solved this situation – for future reference.

Problem details

Our scenario is best described in the diagram below:

port forwarding via php shell

Achieving our goal was not that straight forward since the compromised server was behind a firewall and only ports 80 and 443 were permitted inbound. Furthermore, we were executing commands as www-data user and our non-interactive shell (PHP passthru) was pretty limited.

shell1

 

Continue reading

NetRipper – Smart traffic sniffing for penetration testers

Mihai Gabriel Tanase5 Comments

Ionut

Ionut Popescu, Senior Security Consultant @ KPMG Romania has been accepted as speaker at the prestigious DEFCON conference. He will present one of his projects: NetRipper tool, developed especially to be used in penetration testing projects.

The conference will be held in Las Vegas, Nevada, between 6-9 August 2015.

NetRipper – Short description

The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is the tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

https://www.defcon.org/html/defcon-23/dc-23-speakers.html#Popescu

And we will be waiting to share  his experience at the conference in the next article.

Mobile penetration testing on Android using Drozer

Daniel Tomescu9 Comments

Android red logoMobile phones have become an indispensable part of our daily life. We use mobile phones to communicate with our loved ones, for quick access to information through the Internet, to make transactions through mobile banking apps or to relax reading a good book.

In a way, a big part of our private life has moved into the digital environment. Mobile phones seem to be a pocket-sized treasure of secrets and information, hiding our most valuable photos, mails, contacts and even banking information. There’s no wonder why we need mobile phones to have bullet-proof security.

Android is the most common operating system for mobile devices and is particularly interesting from the security point of view.  It is very permissive, allowing its users to customize about anything, administrative privileges (a.k.a. rooting) can be unlocked on most phones, it has a very fuzzy system for the permissions required by applications and it features different ways for one application to interact with other applications.

In this blog post, we are going to focus on how Android apps can interact with each other and how the security of those interactions can be tested.

Continue reading

Hacknet 2015

Ionuț AmbrosieLeave a comment

Map-God1KPMG Europe’s internal information security conference – Hacknet, was held in Berlin and lasted two days, the 29th and the 30th of April.

This year, it was Ionut, Daniel and me who had the privilege of representing KPMG Romania.

Our team arrived in Berlin on the 28th. After taking our luggage to the hotel, we went for dinner, followed by a short walk in the city.

First Day

The conference kicked off early on the 29th and the program for the day consisted of three presentations and the CTF competition.

First presentation was on Relaying Contactless EMV, by a colleague from KPMG NL. After an introduction to smart-cards and EMV, the speaker described the concept of Relay Attacks on Contactless Transactions. Afterwords, he showed a video illustrating his Android implementation of the attack, the novelty of his approach being the small time overhead incurred by the relay. Measurements showed that the duration of a relayed transaction was very close to the duration of a native transaction (sometimes, due to optimizations, even faster). Continue reading

Writing a Metasploit post exploitation module

Ionut Popescu1 Comment

Metasploit framework logoThe exploitation of a machine is only one step in a penetration test. What do you do next? How can you pivot from the exploited machine to other machines in the network? This is the phase where you need to prove your post exploitation skills. Even if Metasploit is a complex framework, it is not complete and it sometimes needs to be extended.

Why would I write such a module?

Metasploit is the “World’s most used penetration testing software”, it contains a huge collection of modules, but it is not complete and you can customize it by writing your own modules.

Even if you manage to compromise a machine, you may ask yourself: “Now what?”. You can use one of the many Metasploit post exploitation modules, but what if you don’t find a suitable module for you? You may request it to the Metasploit community and developers but it may take a lot of time until it will be available. So why don’t you try to write your own module?

Continue reading