Ahead of the Hackers: A Guide to Offensive Security with Free Tools and Tips

Cloudreach Team 7th March 2016

The advent of new IT environments and cloud adoption has brought about the new challenge of how to defend it from potential threats and malicious use. In this post we’ll offer you some insight into free security scanning tools that will help you to protect your systems, giving some Cloudy advice along the way.

There are several Open source tools available on the Internet that you can use to test the security of your applications and servers, as a Cracker would.
#1. OPERATING SYSTEM – KALI LINUX

One of the most frequently (ab)used Operating Systems by security professionals for this task is Kali Linux.

Kali is a creation of the Offensive Security Team (OffSec) in an effort to achieve effective system defensive through an offensive mindset. Kali is the successor to the ever popular forensic Linux Distribution, BackTrack.

Over the past decade we have seen Security become a hot topic, so much so, that many splinters of these security focused Operating Systems have emerged.

Kali is supported not only by OffSec, but is also contributed to by an impressive community of Hackers, donating scripts and tooling to the project which allows Kali to come preinstalled with over 600 penetration testing tools.

Following the success of its beta release during the 2015 Defcon conference, OffSec have released version 2.0 of Kali (codenamed Sana) which can be acquired here or if you have used an older version you can perform a distribution upgrade to get the latest version which is now on a rolling release.

If you only want a subset of the security tools Kali offers, you can use the following downloads and instructions to access the same scripts/tools from any computer you are working with. Let’s have a look at some of those tools now.

 

#2. TESTING YOUR SECURITY – TOOLING

Disclaimer: Cloudreach holds no responsibility for your use of the information contained in this post. Consent (in writing) should be sought BEFORE exploring a computer system that you do not own!

We’ll be taking a look at the following:

theHarvester.py Installation

Automater.py Installation

FragRoute Installation

Wpscan Installation

Nmap Installation

Nessus Installation

TinFoilSecurity Signup

 

theHarvester.py

theHarvester scours the web for interesting information about your site. It can use a range of search engines such as Google, Bing, LinkedIn, and PGP to find information related to your domain, this can include email addresses, IPs, and even (if you’re lucky!) server configurations where an admin might have asked for help online!

theHarvester.py has the following usage pattern:

$ theHarvester -d [url] -l 300 -b [search engine name]

$ theHarvester -d bigevilcorporation.com -l 300 -b all


The different command line flags mean:

-d  [url] will be the remote site/domain we are probing

-l   limits the search for specified number

-b  is used to choose the search engine we want to use

We can sort the results out in an easy to read format by adding the -f switch and giving it a filename, and the resulting file can be loaded in our browser for inspection.
Automater.py

The Automater is a script that will scan various blacklists to verify if your IP, domain name or data from hashes testing are present in their databases. Testing to see if any of our data can be cross-referenced with any previous attack or breaches (i.e data dumps or threat intelligence). This will ensure you don’t get any nasty surprises from a previous tenant with a bad reputation when you launch your site.

Automater.py [-h] [-o OUTPUT] [-w WEB] [-c CSV] [-d DELAY] [-s SOURCE] [--p] target/path/to/file/containing/a/list

-h, --help    Show this help message

-o OUTPUT     Outputs the screen output to the file OUTPUT as plain text

-w WEB        Outputs the results as an HTML file called WEB. This can again be viewed in your browser

-c CSV        Outputs the results to a CSV file CSV. This can be loaded into a spreadsheet or database.

-d DELAY      Will add/remove the delay between requests - the default is 2

-s SOURCE     Will run a test against a specified SOURCE

   [ IPvoid, Fortiguard, Unshorten, Urlvoid, AlienVault, ThreatExpert, VxVault, and VirusTotal to name a few]

This command is a little more complex so here are some examples:

The following command will run a generic test against your domain:

$ Automater.py -s bigevilcorporation.com

Here we are scanning ipvoid for our external IP address to see if there has been any malicious use.

$ Automater.py -s ipvoid $(curl icanhazip.com)

If we really wanted we could use ALL the flags:

$ Automater.py test.txt -o test.out -c test.csv -w test.html

In the above command we took a fictional list of items located at “test.txt” and we outputted the results in plain text, CSV and HTML files so we have a variety of ways to view the data (…which we might want to plug in to some other automation, maybe?)
FragRoute

FragRoute is an interesting package. At its heart it is a traffic shaper that allows the operator to test a variety of attacks featured in this document. It features a simple ruleset language which allows the operator to simulate a variety of attacks designed so that the attacker can try to evade detection. This effort at evasion is achieved by altering the packet stream, so that an exploit might not be recognised by any preventative systems (such as Network Based Intrusion Detection Systems). Fragroute will try to distort your outgoing traffic from the hacker’s machine so that the NIDS cannot accurately identify that they are under attack.

From the FragRoute help we can see the simplistic language used to craft our test with:

      delay first|last|random <ms>

      drop first|last|random <prob-%>

      dup first|last|random <prob-%>

      echo <string> ...

      ip_chaff dup|opt|<ttl>

      ip_frag <size> [old|new]

      ip_opt lsrr|ssrr <ptr> <ip-addr> ...

      ip_ttl <ttl>

      ip_tos <tos>

      order random|reverse

      print

      tcp_chaff cksum|null|paws|rexmit|seq|syn|<ttl>

      tcp_opt mss|wscale <size>

      tcp_seg <size> [old|new]

 

and we can provide these in a text file to the program with the -f argument.

$ fragroute -f ./path/to/local/config [destination]

If no config is specified then the program will default to using the internal configuration which is generally (system dependent) located at /etc/fragroute.conf

While FragRoute is running we can now perform a variety of tests against the destination and see what is going on.

To demonstrate this we can use ping to send a large ICMP packet to the destination:

$ ping -s 20000  [destination]

Following this command you should see some activity in the terminal where we are running our FragRoute command. Alternatively, we can log on to the destination (…because we do actually own the target, right?) and view the effect through a packet analyser such as tcpdump.
Wpscan

Wpscan is a tool used for testing the most common exploits against WordPress installations.

If you run a WordPress press website, I cannot recommend this tool enough.

Wpscan can be used for both enumeration as well as attacking. It has a lot of options attached to it:

--update                            Update the database to the latest version.--url       | -u <target url>       The WordPress URL/domain to scan.
--force     | -f                    Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)]        Enumeration.
 option :
   u        usernames from id 1 to 10
   u[10-20] usernames from id 10 to 20 (you must write [] chars)
   p        plugins
   vp       only vulnerable plugins
   ap       all plugins (can take a long time)
   tt       timthumbs
   t        themes
   vt       only vulnerable themes
   at       all themes (can take a long time)
 Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
 If no option is supplied, the default is "vt,tt,u,vp"
--exclude-content-based "<regexp or string>"                                   Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
                                   You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
--config-file  | -c <config file>   Use the specified config file, see the example.conf.json.
--user-agent   | -a <User-Agent>    Use the specified User-Agent.
--cookie <String>                   String to read cookies from.
--random-agent | -r                 Use a random User-Agent.
--follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--batch                             Never ask for user input, use the default behaviour.
--no-color                          Do not use colors in the output.
--wp-content-dir <wp content dir>   WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it.
                                   Subdirectories are allowed.
--wp-plugins-dir <wp plugins dir>   Same thing than --wp-content-dir but for the plugins directory.
                                   If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
--proxy <[protocol://]host:port>    Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
                                   If no protocol is given (format host:port), HTTP will be used.
--proxy-auth <username:password>    Supply the proxy login credentials.
--basic-auth <username:password>    Set the HTTP Basic authentication.--wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer.
--username | -U <username>          Only brute force the supplied username.
--usernames     <path-to-file>      Only brute force the usernames from the file.
--threads  | -t <number of threads> The number of threads to use when multi-threading requests.
--cache-ttl       <cache-ttl>       Typhoeus cache TTL.
--request-timeout <request-timeout> Request Timeout.
--connect-timeout <connect-timeout> Connect Timeout.
--max-threads     <max-threads>     Maximum Threads.
--throttle        <milliseconds>    Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.
--help     | -h                     This help screen.
--verbose  | -v                     Verbose output.
--version                           Output the current version and exit.

As you can see, the options available to us are numerous, and can be used in different ways to test different aspects of our WordPress installation.

If the above is a little confusing,here are some canned commands which will help you find out a bit about your installation!

This command will update the internal database of the tool – should be run first!

$ ./wpscan --update

This command will run all the enumeration tools that it commands which can be fine tuned depending on what we want to enumerate

$ ./wpscan --url www.bigevilcorporation.com --enumerate

This command will attempt to enumerate a list of users for the WordPress installation, and attempt to break the password by brute force from a wordlist (you can use the –threads argument to choose how many threads we will open with this operation)

$ ./wpscan.rb --url www.bigevilcorporation.com --wordlist darkc0de.lst

 

Nmap

Nmap (Network Mapper) is a tool used by network professionals to “map” out a given network. Nmap has a lot of options and gives its operator a large choice of scans which we can run against our target.

Nmap is very simple to use and will scan one or more addresses to provide its user with as much information as it can about the desired target, depending on the arguments we pass to it.

An example command can look like:

$ sudo nmap -sT -p 1-65535 192.168.1.1/24

This command will run a TCP connect scan against all ports (1-66535) against all IPs in the range of 192.168.1.1 to 192.168.1.254.

Sometimes the results of these scans might not correlate to what you as an Administrator know to be true, these readings are known as false positives and may require a more manual testing approach to verify.

To see the full list of what is possible run:

$nmap --help

One last scan we will look at with regard to Nmap uses its OS fingerprinting capability.

This scan will attempt to identify the operating system which the host is running, so we can research this and see if there are any known vulnerabilities against our systems.

$ sudo nmap -O -v 192.168.1.1/24

The above scan requires at least one port to be open, and will perform a variety of attacks to try and track down what the host system is running.

There are many instruction manuals out on the web which will help any aspiring security professional learn more about this amazing tool! One of which can be found here.

Finally, the last products we are going to look at are of the class “Automated Scanners”. Please note that automated scanning is not the same as penetration testing.

There is no better way to test your infrastructure than hiring professionals to come and attack your network. They will see things that the automation behind these tools will not see, and will be able to suggest ways of fixing your vulnerabilities.

 

Nessus

Nessus is an automated vulnerability scanner that can scan your network and websites to test for known vulnerabilities. When installing Nessus you can choose if you want to use a professional or home feed. Each feed will give you a large range of modules and plugins (although the professional version will give you more, it comes with a cost).

Nessus uses policies to guide how it scans your infrastructure. To create one of these log on to the web based interface, select “policies” and click “add”. Create a shared policy and give it a sensible name and description, then tune your policy to match your needs. By default, Nessus will try to load all the plugins it has in its inventory, which we can change again to suit our needs, click plugins on the left and tune these settings so you only use the plugins you want.

Now that we have Nessus and our policy configured we are ready to run an automated scan against our infrastructure. Click on “Scans” and click add, following the on-screen instructions to give the scan a name as well as a policy and choose which hosts we want to run the scan against. When you are ready, hit “Launch Scan” and wait for it to complete to view the results.

 

TinFoilSecurity

TinFoilSecurtity is a Managed Service which has a free and paid plan. This tool will allow a signed up user to run scans across Web Applications, as well as many other aspects of your infrastructure.

There are some caveats with using this product – you must be able to prove that you have the right to be testing the system you ask it to, and it will add your details to the header as it runs its scan.

TinFoilSecurity and similar products are brilliant resources for those who are not fully versed with Penetration Testing tools and will help you protect against some of the most common exploits being used on the internet.

 

This concludes our introduction into the world of security and should have helped you to view your environment through the eyes of a Cracker.

A final word from the Author to anyone wanting to gain more experience in this fascinating subject always, ALWAYS…
TRY HARDER!