Penetration Testing with Kali Linux OffSec
|
|
Figure 30: SSL Server Test results for www.megacorpone.com
The results seem better than the Security Headers check. However, this shows that the server supports TLS versions such as 1.0 and 1.1, which are deemed legacy as they implement insecure cipher suites 243 - this ultimately suggests that our target is not applying current best practices for SSL/TLS hardening. Disabling the TLS_DHE_RSA_WITH_AES_256_CBC_SHA suite has been recommended for several years, 244 for example, due to multiple vulnerabilities both on AES Cipher Block Chaining mode and the SHA1 algorithm. We can use these findings to gain insights about the security practices, or lack thereof, within the target organization. 6.3 Active Information Gathering This Learning Unit covers the following Learning Objectives: • Learn to perform Netcat and Nmap port scanning • Conduct DNS, SMB, SMTP, and SNMP Enumeration • Understand Living off the Land techniques In this Learning Unit, we will move beyond passive information gathering and explore techniques that involve direct interaction with target services. We should keep in mind that innumerable services can be targeted in the field, for example Active Directory , which we’ll cover in more detail in a separate Module. We’ll nevertheless review some of the more common active information gathering techniques in this Module including port scanning and DNS, SMB, SMTP, and SNMP enumeration. 243 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Cipher_suite 244 (Microsoft Security Response Center, 2013), https://msrc-blog.microsoft.com/2013/11/12/security-advisory-2868725- recommendation-to-disable-rc4/ Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 132 We’ll mainly showcase active information gathering techniques that we can execute using pre- installed tools on our local Kali machine. However, in some cases during a penetration test, we won’t have the luxury of running our favorite Kali Linux tool. In an assumed breach scenario such as this, we are typically given a Windows-based workstation by the client and must use what’s available on Windows. When “Living off the Land”, we can leverage several pre-installed and trusted Windows binaries to perform post-compromise analysis. These binaries are shortened as LOLBins or, more recently, LOLBAS 245 to include Binaries, Scripts and Libraries. Strictly speaking, LOLBAS binaries are typically used in a way other than by design. In this case, we’ll relax the definition to include using standard Windows binaries “as they are” to perform information gathering. In the upcoming sections, we are going to showcase the most popular LOLBAS techniques along with common Kali tools used for active information gathering. 6.3.1 DNS Enumeration The Domain Name System (DNS) 246 is a distributed database responsible for translating user- friendly domain names into IP addresses. It’s one of the most critical systems on the internet. This is facilitated by a hierarchical structure that is divided into several zones, starting with the top-level root zone. Each domain can use different types of DNS records. Some of the most common types of DNS records include: • NS : Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain. • A : Also known as a host record, the “ a record ” contains the IPv4 address of a hostname (such as www.megacorpone.com). • AAAA : Also known as a quad A host record, the “ aaaa record ” contains the IPv6 address of a hostname (such as www.megacorpone.com). • MX : Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records. • PTR : Pointer Records are used in reverse lookup zones and can find the records associated with an IP address. • CNAME : Canonical Name Records are used to create aliases for other host records. • TXT : Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification. 245 (LOLBAS, 2022), https://lolbas-project.github.io/ 246 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Domain_Name_System Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 133 Due to the wealth of information contained within DNS, it is often a lucrative target for active information gathering. Let’s demonstrate this by using the host command to find the IP address of www.megacorpone.com . kali@kali:~$ Yüklə Dostları ilə paylaş:
|