Vulnerabilities / Threats // Advanced Threats
5/19/2014
08:10 AM
John H. Sawyer
John H. Sawyer
Commentary
100%
0%

Tech Insight: Free Tools For Offensive Security

A professional penetration tester offers a look at the latest free and open-source tools available for pen testing and offensive tactics.

There are a lot of excellent offensive security tools available online for free, thanks to open-source licenses and the security professionals who've created tools in an effort to give back to the community. But because they are created by individuals or open-source efforts without the marketing and promotion resources of a vendor, these tools may not be well known in the enterprise.

Two years ago I wrote a Tech Insight on offensive security tools that defenders can leverage to help find vulnerabilities and secure their environments. Today, I want to update that list with some currently available tools that should be included in every offensive and defensive security professional's toolbox.

I truly believe that a security professional focused on defense or offense must understand the tools and techniques used by the other side. Those who defend a network should be aware of the attacks they will face and the ways that attackers avoid detection. To become familiar with these approaches, they should try out some of these same attack methods.

Similarly, those focusing on offense must understand defensive strategies, different types of security controls, and the ways that defenders detect attacks. It's easier to detect an attack or evade detection when you know, firsthand, how the defenses work. If they understand offensive tools, defenders can proactively identify potential threats before they become a more serious problem.

A study of offensive methods also helps security teams find the easily exploitable vulnerabilities and fix them, so that future penetration tests can focus on scenario-based assessments tailored around the organization's specific threat profile.

Before we get into the latest tools specific to the four primary stages of penetration testing -- reconnaissance, mapping, vulnerability detection, and exploitation -- there are a couple of books and websites worth mentioning. The first is the Red Team Field Manual, or RTFM, which is essentially a "cheat sheet" of commands in printed form that can be a handy reference to keep in your backpack. If you like the cheat sheet format, then you'll probably like the RTFM book.

If you prefer a more detailed digital resource, I highly recommend the PwnWiki.io as an alternative. It can be accessed online or downloaded to your laptop. It has a wider breadth and depth of information compared to RTFM, is well organized, and is more likely to stay current. The PwnWiki is one of those GitHub repositories that I always update prior to going to a pen testing client site -- it ensures that I will have the most up-to-date content in case I need to reference it.

One book that definitely deserves mention is The Hacker Playbook: Practical Guide to Penetration Testing. It's the first book I've come across that has been written from the perspective of an actual penetration tester, and not someone who is simply repeating theory and listing tools with their main pages. While not an extensive guide on all the tools for every situation, it does a good job of taking the reader through the initial prep and on to the final goal.

Now let's look at some of the tools themselves. For the reconnaissance phase, the only tool I'll mention today is recon-ng. There are other tools and websites available, but recon–ng has matured quite a bit in the last year with updates and new modules (e.g., Facebook), making it one of the must-haves in an attacker's (and defender's) toolkit. When used head-to-head with similar tools, I've found that recon-ng discovers more valuable information. There is documentation available on the tool's site and a great presentation with live demonstrations from Tim Tomes's presentation at the 2013 DerbyCon conference.

During the mapping and vulnerability discovery phase, it's common to encounter a large number of web interfaces that need to be manually inspected. This can be time-consuming in a large environment, where you're likely to see 50 to 300+ HTTP servers. To expedite the process, PeepingTom and Eyewitness are two tools that can parse the XML output from Nmap and Nessus, connect to each identified HTTP(S) service, and take a screenshot.

Both tools will generate an HTML report that includes a screenshot, server headers, and a link to the website. It's quick and easy way to see what the interface looks like, and it provides more detail than simply searching Nmap output for http-title.

A common issue found in nearly every pen testing is a lack of controls around WPAD. WPAD is short for Web Proxy Autodiscovery Protocol and is how computers can automatically identify a web proxy and proxy configuration file on a local network. By default, Windows systems are configured to search for hosts named WPAD, making them easily susceptible to name-spoofing and man-in-the-middle attacks. Unless a company is using a proxy already and has disabled the automatic discovery, WPAD is almost always exploitable and has frustrated many a sysadmin.

Previously, I used Metasploit to spoof a WPAD host, serve up a wpad.dat file that pointed to my Burp proxy, and inject malicious code into HTTP traffic going to local machines. But that's all changed with the release of Trustwave Spiderlab's Responder tool. In addition to collecting password hashes that can be cracked or used as part of an SMB relay attack, Responder has full WPAD spoofing capabilities, the ability to steal cookies, can insert malicious HTML, and can replace EXE files being downloaded with a malicious executable file.

Another strong tool in the exploitation category is actually a suite of scripts for Windows Powershell. PowerSploit's scripts are designed to assist penetration testers with privilege escalation, bypassing antivirus, exfiltration, and code execution. Even in highly sensitive environments locked down with multiple layers of protection -- including antivirus and application whitelisting -- PowerSploit can be used because Powershell is a legitimate systems administration tool and rarely restricted.

With these tools -- as well as those I covered in the previous article -- enterprise defenders have a powerful arsenal to identify weak areas in their networks and demonstrate how these vulnerabilities can be exploited. Every tool listed is freely available and open-source. Security teams can easily take advantage of these tools to proactively find and fix potential vulnerabilities before a malicious attacker has a chance to exploit them.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 3:05:58 PM
Thanks for the great interview and live chat, JohnSawyer
For anyone who wants to get some additional insight about what it takes to be a penetration tester be sure to checkout Tim Wilson's Dark Reading radio interview with John: Day In The Life of a Penetration Tester. Lots of really interesting commentary from DR community members in the live chat that followed the broadcost. Here's the link.
johnhsawyer
50%
50%
johnhsawyer,
User Rank: Moderator
5/21/2014 | 1:15:10 PM
Re: prevalence?
Hi, Kelly.

Thank you for the question. Which clients use the tools? Well, if they're a client, then they've likely been subjected to all the tools as part of the testing we've performed for them. Whether or not they're actually using them is hard to say. I know of several specific examples where client's security teams perform regular recon looking for compromised credentials, defaced sites, employees posting sensitive information, etc. For that, they use recon-ng.

The rest of the tools I've seen used during specific demonstrations to show other IT groups within the company vulnerabilities and to prompt the other groups to fix those issues. A lot of this depends on the size of the team, how mature the team is (and the company), are they stuck in reactive mode or do they have time for proactive tasks, and other similar team attributes.

I'd like to see more security teams taking advantage of these tools as I think it would open their eyes to issues they're vulnerable to and help them fix issues before having a 3rd party tester coming in so the 3rd party's time can be focused on critical, high risk areas.

-jhs
johnhsawyer
50%
50%
johnhsawyer,
User Rank: Moderator
5/21/2014 | 1:00:19 PM
Re: PwnWiki!
Hey, Ed. Thanks for the comment. PwnWiki is a great resource. It's definitely come in handy on a few different pen tests. I need to get my updates sent in sometime soon but just haven't had the time to sort through my notes and get them into a pull request.

-jhs
Ed Moyle
50%
50%
Ed Moyle,
User Rank: Apprentice
5/20/2014 | 9:49:54 AM
PwnWiki!
Just wanted to say thanks for getting this started.  Nice to see PwnWiki getting some love.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/19/2014 | 6:46:46 PM
prevalence?
John, do many of your enterprise clients use these tools today? 
Hadetona
100%
0%
Hadetona,
User Rank: Apprentice
5/19/2014 | 1:22:16 PM
Very Helpful!
This article is very helpful i must say! Keep up the goof work!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.