In praise of tactical exploitation

Having honed my skills during the X.25 and Phreaking era, I’ve always been a vocal proponent of a tactical approach to penetration testing that does not focus on exploiting known software vulnerabilities, but instead relies on old school techniques such as information gathering and credential guessing. While being able to appreciate the occasional usefulness of a well-timed 0day, as a veteran penetration tester I favor an exploit-less approach.

As pointed out by HD Moore and Valsmith in their 2007 whitepaper, tactical exploitation is “The Other Way to Pen-Test”. It provides a smoother and more reliable way of compromising targets by leveraging process vulnerabilities, while minimizing attack detection and other undesired side effects.

Over the years, I’ve published a few tools to assist penetration testers during their assignments. In the past weeks, with the excuse of practicing with Python 3, I’ve developed some proof of concept tactical exploitation tools. They can be found here: https://github.com/0xdea/tactical-exploitation

The first script I would like to introduce is easywin.py. It’s basically a mashup of enum4linux and my own old samba-hax0r. It provides a toolkit for exploit-less attacks aimed at Windows and Active Directory environments, by leveraging information gathering and brute force capabilities against the SMB protocol. It’s kinda ugly (come on, subprocess?!) but it works better than any other similar tools I’ve used, including Metasploit modules and other industry standard tools.

In the screenshot below, a typical information gathering session against a single target is illustrated (click to enlarge).

The second script, poriluk.py, provides a convenient interface to exploit common information leakage vulnerabilities, similar to a subset of functionalities available in my old brutus.pl. At the moment, only a few attacks are supported for demonstration purposes:

  • SMTP: dictionary-based user enumeration via VRFY/EXPN/RCPT
  • HTTP: dictionary-based user enumeration via UserDir

An example run of the SMTP RCPT scanner on a single vulnerable mail server is shown in the screenshot below.

Again, nothing fancy, but it gets the job done.

The third script is named botshot.py. It simply captures screenshots of websites from the command line using Selenium with PhantomJS, in order to automate mapping of the web attack surface of large networks. It’s very fast and easy to use.

The screenshot below shows an example run against a short list of URLs.

Verbal.py is another web-related script. Specifically, it’s a HTTP request method security scanner. It tries a series of interesting HTTP methods against a list of website paths, in order to identify those that are available and accessible. The following HTTP methods are currently supported: GET, OPTIONS, TRACE, DEBUG, PUT.

An example run is shown in the following screenshot.

Then there’s netdork.py. It uses the Google Custom Search Engine API to collect interesting information on public networks and stealthily map the available attack surface. The following attacks are supported:

  • Network search sweep based on target CIDRs
  • Subdomain discovery via search engine

Here’s a demonstration of what it can do.

Beware that Google enforces a hard limit of 100 free searches per day. Use it wisely!

The last script is a pure Python 3 implementation of the staging protocol used by the Metasploit Framework. Just start an exploit/multi/handler (Generic Payload Handler) instance on your attack box with either a reverse_tcp or bind_tcp Meterpreter payload, then run letmein.py (ideally converted to EXE format) on a compromised Windows box and wait for your session. This technique is quite effective in order to bypass the antivirus and obtain a Meterpreter shell on Windows. It’s a cool proof of concept, however in real life Python may not be the best choice for this task, for a number of reasons (including the sorry state of Python EXE packagers).

That’s it! I intend to keep adding tools and functionalities in my spare time. Let me know if you have issues or pull requests.