The Rapture [of Pen Testing]

August 9, 2011


Attack, Repel, Defend

While at Black Hat last week, I had the opportunity to take the “Real World Security: Attack, Defend, Repel” training/challenge, hosted by the folks at Peak Security. As a Development Manager for Core Insight, it’d been a long time since I had the opportunity to work in any sort of hands-on pen-testing scenario. I had been a software engineer before that, and was even further removed from my network security days.

So, I heard the briefing and expectation of the challenge, and then got to work. My team was on the defensive aspect first. The real problem was we were given the defense of a bunch of machines for which we didn’t have a lot of passwords and had very little knowledge of where the critical assets or “crown jewels” were locked away.

Rapture Security

I loaded up the VM for the class, and it came complete with a lot of software you might suspect are in a typical IT toolbox. The only problem I realistically had was that the pen testing tool they provided me with was Metasploit Pro (MS Pro). So, I and other members of my team fired it up and started using it. The main issue I had was that it was poor for quick recon, mainly due to the web interface. With a timed challenge and a bunch of hungry attackers at my front door and a bunch of assets I needed to uncover, I shut down the VM and opened my copy of Impact Pro.

The people running the course didn’t limit the tools people used, so everything was legit. After a few minutes of being able to scan in the Impact UI and having quick access to all the machine properties through the panes, I was able to accurately triage the weak points and find our assets in the network. It would’ve taken me a lot longer in MS Pro or command line NMAP to access that information. And even longer to format it for display so I could show my teammates what needed to be done. After a little while, it became clear they were also pretty eager to take a crack at this challenge using Impact, so I called up the home office and had a number of licenses sent out to my teammates to use the following day, when we’d be on the attacking side.

The scenario was designed to be a failure for the Defending team. It was supposed to teach the attendees what it felt like to undergo a breach of a massive scale and scramble to protect what was most important. So, after seeing what the other team was able to do, we were eager to be on the attack.

My team asked me to be the lead of tracking down what aspects of the network need to be bashed in, and hand out assignments for vulnerability analysis/breach. So, after doing a quick scan of the DMZ, I was able to identify the most likely target for getting a toehold. After a few minutes of analysis, I launched an exploit against that target and was inside (running as ‘daemon’). I then did a quick privilege escalation, deployed a permanent agent, installed pcap and pulled in the shadow password file.

After looking at some internal routing, I was able to locate their user subnets. I launched an internal portscan after pivoting off the DMZ machine I now pwned. After that was done, I analyzed the output, and then did an external scan to locate weaknesses in their firewalling. I found more than a few. They had blocked ICMP but not TCP, so I was still able to profile them with Fast SYN.

After only a few hours we were well beyond the initial assignment of “find a toehold” and were deep into their network. We had made several user accounts across their domain, gotten into the DBs we saw, and were generally made a nuisance of ourselves.

They eventually just ended the class a few hours early, because we had achieved our objectives well in advance. When the points were finally tallied and the peer reviews were done, my team won and I was made the MVP for the 18 person crew.

I know this might sound like a blatant advertisement and I could be biased because I work for Core. But, I’m not a sales guy, nor do I work for the Impact team. I’m an engineer who really wanted to win and excel. The enhanced functionality of Impact was a clear advantage over MS Pro, and our ability to manage the data quickly and efficiently and help my team achieve overall victory. At the end of the day, it helped me shine as a technologist.

If I thought MS Pro would’ve helped me win, I would’ve used it. It’s not like there was a camera monitoring me, or anyone would’ve thought less of me in a group of technologists. I used Impact Pro because in this scenario, speed and efficiency mattered. I felt I was hamstrung using a web-based UI, and that the command line interface of the Framework would’ve also took too long. Never mind that I couldn’t easily pivot, so my breach into their internal net would’ve been far more limited and slow. I’m a programmer at heart… I’ve got all the love in the world for open-sourced technology, but in this instance, Impact was the right tool for the job.

I’d like to thank everyone else on Team Rapture and the guys at Peak who made this training class a great experience for me. If you haven’t attended one of their Real World Security training scenarios, I highly recommend it.


Unable to display content. Adobe Flash is required.

Video: My experience at Black Hat's "Attack, Repel, Defend" simulation

- Kenneth Pickering, Development Manager, CORE INSIGHT

  • Penetration testing

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!