Figure 30: SSL Server Test results for www.megacorpone.com
The results seem better than the Security Headers check. However, this shows that the server
supports TLS versions such as 1.0 and 1.1, which are deemed legacy as they implement insecure
cipher suites
243
- this ultimately suggests that our target is not applying current best practices for
SSL/TLS hardening. Disabling the
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
suite has been
recommended for several years,
244
for example, due to multiple vulnerabilities both on AES Cipher
Block Chaining mode and the SHA1 algorithm. We can use these findings to gain insights about
the security practices, or lack thereof, within the target organization.
6.3
Active Information Gathering
This Learning Unit covers the following Learning Objectives:
•
Learn to perform Netcat and Nmap port scanning
•
Conduct DNS, SMB, SMTP, and SNMP Enumeration
•
Understand Living off the Land techniques
In this Learning Unit, we will move beyond passive information gathering and explore techniques
that involve direct interaction with target services. We should keep in mind that innumerable
services can be targeted in the field, for example
Active Directory
, which we’ll cover in more detail
in a separate Module. We’ll nevertheless review some of the more common active information
gathering techniques in this Module including port scanning and DNS, SMB, SMTP, and SNMP
enumeration.
243
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Cipher_suite
244
(Microsoft Security Response Center, 2013), https://msrc-blog.microsoft.com/2013/11/12/security-advisory-2868725-
recommendation-to-disable-rc4/
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
132
We’ll mainly showcase active information gathering techniques that we can execute using pre-
installed tools on our local Kali machine. However, in some cases during a penetration test, we
won’t have the luxury of running our favorite Kali Linux tool. In an
assumed breach
scenario such
as this, we are typically given a Windows-based workstation by the client and must use what’s
available on Windows.
When “Living off the Land”, we can leverage several pre-installed and trusted Windows binaries to
perform post-compromise analysis. These binaries are shortened as
LOLBins
or, more recently,
LOLBAS
245
to include Binaries, Scripts and Libraries.
Strictly speaking, LOLBAS binaries are typically used in a way other than by
design. In this case, we’ll relax the definition to include using standard Windows
binaries “as they are” to perform information gathering.
In the upcoming sections, we are going to showcase the most popular LOLBAS techniques along
with common Kali tools used for active information gathering.
6.3.1
DNS Enumeration
The
Domain Name System
(DNS)
246
is a distributed database responsible for translating user-
friendly domain names into IP addresses. It’s one of the most critical systems on the internet.
This is facilitated by a hierarchical structure that is divided into several zones, starting with the
top-level root zone.
Each domain can use different types of DNS records. Some of the most common types of DNS
records include:
•
NS
: Nameserver records contain the name of the authoritative servers hosting the DNS
records for a domain.
•
A
: Also known as a host record, the “
a record
” contains the IPv4 address of a hostname
(such as www.megacorpone.com).
•
AAAA
: Also known as a quad A host record, the “
aaaa record
” contains the IPv6 address of a
hostname (such as www.megacorpone.com).
•
MX
: Mail Exchange records contain the names of the servers responsible for handling email
for the domain. A domain can contain multiple MX records.
•
PTR
: Pointer Records are used in reverse lookup zones and can find the records associated
with an IP address.
•
CNAME
: Canonical Name Records are used to create aliases for other host records.
•
TXT
: Text records can contain any arbitrary data and be used for various purposes, such as
domain ownership verification.
245
(LOLBAS, 2022), https://lolbas-project.github.io/
246
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Domain_Name_System
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
133
Due to the wealth of information contained within DNS, it is often a lucrative target for active
information gathering.
Let’s demonstrate this by using the host command to find the IP address of
www.megacorpone.com
.
kali@kali:~$
Yüklə Dostları ilə paylaş: |