Penetration Testing Using The Kill Chain Methodology

 

Penetration Testing Using The “Kill Chain” 

Methodology 

Presented by: Rupert Edwards 

   

This course is intended for a technically astute audience.This course is 98% hands­on.The        attendee should have some basic knowledge of the systems being tested in this courses’        scenarios and lab. 

 

This course will focus on three areas: methodology, tools, and technique.   

Let us note that there are tons of tools that will net the same results. To maintain focus on all        three aspects, we will be using just a small subset of popular pentesting tools. If I may add,        some of my favorite tools did make it on the list, such as “shellter” and        “the­backdoor­factory”. Other tools outside of the Kill Chain tools will be discussed and used        in this course. 

 

Refer to the syllabus for more detail. 

What will not be covered in this material: 

● We will not rehash definitions of white hat vs black hat vs gray hat.       _​The assumption is      made that you know what penetration testing is and what it entails a pen­tester’s job.        Let us start by stating the fact I am not a lawyer (INAL). You should be aware of the        legal ramification that comes with being a pen­tester. 

● Know the rules of engagement. Without any rules established, it defaults to a black        hat scenario – hence is not good. 

● This material will not go over every tool in detail and usage. These tools are feature        rich.  

What will be covered in this material: 

● Why the need for a penetration test. A description of a pen­tester. 

● Most importantly, it is to get your Kill Chain environment setup. Also to get familiar        with the tools. 

● This document’s main focus is on the software installation and tools setup thereafter.        It will also introduce some terms that are thrown around a lot in the pen­testing        community and are often used within the tools themselves. 

   

Penetration Testing 

  The goal: to identify security vulnerabilities in systems and humans.    The Benefits of Penetration Testing:  ● Preventing financial loss  ● Preserving corporate image  ● Easy targets are often referred to as “low hanging fruit”.  ● These systems tend to make up a good portion of the “botnets”.    What is a Penetration Tester? 

● A penetration tester’s job is to see how deep into a system one can penetrate. A        system might include, but not limited to, the applications group, desktops group,        mobile group, and servers group. A system may also be a logical system that might        include all things related to Information Technology (IT) inside the building and        outside the building, which may include the IT staff and its in house training and how        it responds to an incident. 

● Because such systems are very complex, it is imperative to detail every bit of        information and by what means it was acquired. Not all the information will be useful        or necessary in the final analysis, but some vulnerabilities are not immediately        obvious.  ● Penetration testing is not very useful without proper documentation and remediation.    The pen­tester’s paramount concern should be on the remediation.  ● Recommended read: _​Models of a Red Team Operations           

The “Kill Chain” approach to penetration testing 

 

What is “Kill Chain”?   

From Wikipedia:  

The term kill chain was originally used as a military concept related to the structure of                                an attack; consisting of target identification, force dispatch to target, decision, order                        to attack the target, and finally the destruction of the target. 

 

1. Reconnaissance – Uses social engineering to find weaknesses in the target’s        security posture. 

2. Weaponization – Crafting attack tools for the target system.  3. Delivery – Delivering the attack tools to the target system. 

4. Exploit – The malicious file intended for an application target system or the operating        system vulnerabilities control objectives is opened by the victim on target system.  5. Installation – Remote control program installed on target system. 

6. Command & Control – Successfully compromised hosts will create a C2 channel on        the Internet to establish a connection with the C2 server. 

7. Actions – After the preceding process, the attacker will continue to steal information        about the target system, undermine the integrity and availability of information, and        further to control the machine to jump to attack other machines, to expand the sphere        of influence.                         

A walk through of Kill Chain and its attacks tools 

 

killchain.py: Kill Chain was created for training pentesting methodology to a large group of        students and professionals.             

● Anonymizer — The Kill Chain console is equipped with a build­in anonymizer that        uses the Tor network for anonymity. 

 

“Tor is free software and an open network that helps you defend against traffic                            analysis, a form of network surveillance that threatens personal freedom and privacy,                        confidential business activities and relationships, and state security.”  courtesy tor website        ● The Kill Chain De­Anonymizer_​ should be self­explanatory.   

● Kill Chain SET tool­kit is for reconnaissance and social engineering “The            Social­Engineer Toolkit (SET) was created and written by the founder of TrustedSec.        It is an open­source Python­driven tool aimed at penetration testing around        Social­Engineering. SET has been presented at large­scale conferences including        Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET        is the standard for social­engineering penetration tests and supported heavily within        the security community. 

 

The Social­Engineer Toolkit has over 2 million downloads and is aimed at leveraging        advanced technological attacks in a social­engineering type environment.       

TrustedSec believes that social­engineering is one of the hardest attacks to protect        against and now one of the most prevalent. The toolkit has been featured in a        number of books including the number one best seller in security books for 12        months since its release, “Metasploit: The Penetrations Tester’s Guide” written by        TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni.       

courtesy TrustedSec website 

 

● Kill Chain OpenVas_​ – to perform vulnerability assessments against target.    

“OpenVAS is a framework of several services and tools offering a comprehensive                        and powerful vulnerability scanning and vulnerability management solution.”   courtesy OpenVas website                         

● Veil­Evasion   _​– generate payload executables that bypass common antivirus        solutions.   courtesy veil – Framework website                           

 

● Kill Chain WebSploit Advanced MITM Framework – perform social engineering                along with man­in­the­middle attacks and much more. This is full feature pentesting        tool. 

   

● Kill Chain Metasploit Framework is for executing exploits against targets. The            Metasploit Project is a computer security project that provides information about        security vulnerabilities and aids in penetration testing and IDS signature        development. Its best­known sub­project is the open source      _​[2]  Metasploit  Framework, a tool for developing and executing exploit code against a remote target        machine. Other important sub­projects include the Opcode Database,shellcode        archive and related research. The Metasploit Project is well known for its        anti­forensic and evasion tools, some of which are built into the Metasploit        Framework. 

    ● Kill Chain WiFite_​ – For wireless site survey.                   

Setting up your “Kill Chain” environment 

  What software is required:  Pen­testing OS:  ● “K” Linux – Free Download  ● Virtual Machine Applications:  ● VMWare Player – Free  ● VirtualBox – Free Download for Linux, Windows, and OSx  ● Parallels – Costs Money; For OS X  Installing Killchain.py  ● sudo apt­get update  ● Follow the screenshots below. In the screenshot I am root.   

sudo apt​‐​get​ install websploit openvas veil​‐​evasion tor        sudo git clone https_​:_​//github.com/ruped24/killchain cd killchain  sudo python killchain_​._​py     

Once the installation is complete. Go through the options on the menu. Option 4, OpenVas        takes a while on first run. Go get a coffee or two. You can launch multi Kill Chain sessions.        No need to watch paint dry. 

 

Once OpenVas setup has completed. Reset openvas web interface admin password by        running the commands below in an external terminal. 

 

openvas_​‐_​start 

openvasmd ​–​user​=​admin ​–​new​‐​password​=​Your_new_reset_admin_password 

 

  Point your browser to _​https://localhost:9392 

 

Login​ ​Username​ ​=​ admin 

Login​ ​Password​ ​=​ ​Your_new_reset_admin_password 

 

Option 5, note on Veil­Evasion:  

Veil­Evasion will complete the setup upon launch. Accept all the defaults. This takes a while.        Done leave the screen tho, there’re dialog you will have to click through. Once it’s complete,        it will auto launch.  Option 6; Websploit:  To exit websploit, type exit.  Option 7; Metasploit:  To exit metasploit, type exit.  Option 8; WiFite:  It is for site survey. Within the context of this course.  Run wifite in an external terminal to do wireless attacks against target.    Now you should be cooking with gas    “Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand.”    

Terms and definitions: 

Target_​ – A target is a specific system or a specific systems group.   

C2 Serve  _​r – Command­and­control servers, also called C&C or C2, are used by attackers to        maintain communications with compromised systems within a target network. The terms        “command” and “control” are often bandied about without a clear understanding, even        among some security professionals, of how these communications techniques work to        govern malware. 

 

Exploits – Exploit code is a piece of software, a chunk of data, or a sequence of commands        that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated        behavior to occur on computer software, hardware, or something electronic (usually        computerized). Such behavior frequently includes things like gaining control of a computer        system, allowing privilege escalation, or a denial­of­service attack. 

 

Injection   _​– Code injection is the exploitation of a computer bug that is caused by processing        invalid data. Injection is used by an attacker to introduce (or “inject”) code into a vulnerable        computer program and change the course of execution. The result of successful code        injection is often disastrous (for instance: code injection is used by some computer worms to        propagate). 

 

Payload – A payload refers to the part of malware which performs a malicious action. In the        analysis of malicious software such as worms, viruses and Trojans, it refers to the software’s        harmful results. 

 

Shellcode – Shellcode is basically a list of carefully crafted instructions that can be executed        once the code is injected into a running application. Stack and heap­ 

based buffer overflows are the most popular way of doing so. The term shellcode literally        refers to written code that starts a command shell. 

 

Encoder   _​– An encoder is a device, circuit, transducer, software program, algorithm or        person that converts information from one format or code to another, for the purposes of        standardization, speed or compressions. 

Backdoor – A backdoor is an undocumented method of gaining access to program or a        computer by using another installed program or rootkit that bypasses normal authentication.        The backdoor is generally written by the programmer who created the original program and        is often only known to that person. 

 

Reverse shell       _​– A reverse shell is a type of shell in which the target machine communicates        back to the attacking machine. The attacking machine has a listener port on which it        receives the connection, which by using, code or command execution is achieved. 

 

Bind shell     _​– Bind shell is a type of shell in which the target machine opens up a        communication port or a listener on the victim machine and waits for an incoming        connection. The attacker then connects to the victim machine’s listener which then leads to        code or command execution on the server. 

 

Meterpreter   _​– Meterpreter is an advanced, dynamically extensible payload that uses        in­memory DLL injection stagers and is extended over the network at runtime. It        communicates over the stager socket and provides a comprehensive client­side Ruby API. It        features command history, tab completion, channels, and more. 

 

Site survey – A wireless site survey, sometimes called an RF site survey or wireless survey,        is the process of planning and designing a wireless network, to provide a wireless solution        that will deliver the required wireless coverage, data rates, network capacity, roaming        capability and Quality of Service (QoS).    “Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand.”                    Cyber Kill Chain® is a registered trademark of Lockheed Martin.