Tuesday, 4 June 2013

PENETRATION TESTING FULL TUITORIAL+KIT DOWNLOAD

INGUMA PENETRATION TESTING AND VULNERABILITY RESEARCH TOOLKIT



This documents aims to provide a fast introduction to Inguma PyGtk GUI and guide new users on the initial fast steps to perform a basic test agains one target. It will not be a complete guide of all Inguma's features.
First we need to run ginguma.py as root or administrator user so all modules could be launched.
user@laptop:~/Inguma$ sudo ./ginguma.py
[sudo] password for user:
Checking:
        GTK UI dependencies...  OK
WARNING: No route found for IPv6 destination :: (no default route?)
        Scapy...                OK
        Network conectivity...  OK
        GtkSourceView2...       OK
        VTE Terminal...         OK
        /usr/bin/nmap...        OK
        /pentest/web/w3af/w3af_console...       OK
Starting Inguma, running on:
  Python version:
    2.6.4 (r264:75706, Dec  7 2009, 18:45:15)
    [GCC 4.4.1]
  GTK version: 2.18.3
  PyGTK version: 2.16.0
Once the aplication finishes loading there are two main paths to follow in order to start working:
Manually launch the desired modules one by one: discovers->ipaddr, dicovers-> tcptrace, etc...
Use the “Add Target” button so the first non intrusive probes will be done automatically.
We will use the second one. So press the “Add Target” button and a new dialog will appear. Select “domain”, fill the text input with the name of your target like “testphp.acunetix.com”, don't select “Use Nmap” as we want to use Inguma's own modules, and press “Accept”.



For each of the modules launched a new "output dialog" will apperar containing the module output, also at the bottom of the application, the“Actions” tab will have a new entry for each executed module.




Once all modules finish to execute, some new data will be added in the two main information areas of the GUI: the map and the data tree.
On the tree a new node will appear for the new target containing all the information gathered. If you want to see all it at the same time, press the button “Show Log” at the top toolbar to hide the log window.
The main window is dominated by the network map, press the button “Show KB” to hide also the side pannel and give more space to the map. Actually the map shows network trace to the target and we can have it also clustered by ASN information if we right-click on a blank part of the map and press “Get ASN” option:






After finished, if you recover bottom pannel with the “Show Log” button, change to the “Logs” tab so you can see this module output.




Now the map offers information about the nodes between our network and the target and the networks we cross in every comunication. The toolbar at the right of the map offers options to modify map “Zoom” (first four buttons) and “Orientation” (next four ones with arrow icons).
The last one is helpful in situations were you have many distant targets and you are not interested in intermediate nodes, by pressing it the graph will fold those nodes to allow faster access to targets.




This map has two different contextual menus that popup on right clicking a node or a blank portion of the graph.
The node's menu offers many node's information and also classified modules that can be launched against this node.
The graph menu goups actions that affect the whole graph, like the “Get ASN” we already used, and different graphs that show the Knowledge Base (KB) information in different manners.
Step-XX.png
Let's advance with a portscan probe against our target. For this we will use “nmapscan” module. On ginguma's startup one of the dependency checks looked for nmap presence. If the check was ok right click on target node (in red) and go to “Gathers->Scanners->nmapscan”:




This new dialog offers many scan profiles already prepared and the option to customize your scan by manually feeding the command text entry. If you don't remember any Nmap option just press the “Help” button.



Wait until scan finishes and then let's see what has changed. Now we can see scan results on the normal popup dialog. Also KB Tree and map have been updated with new information regarding open ports, services found and Operative system.



On the targte's node at the map we can see now OS infromation directly and the new information on the node's menu:




The "Services" submenu groups information and actions for each one of the open ports found. Information like port number or service detectedand actions like open in a browser (for HTTP related ports) or in terminal (telnet or console like servces). Also brute force modules are offered here.
As we found an HTTP server on port 80 of this target, let's do some basic vulnerability assesment of the service using the nikto module. First, let's update the nikto rules database by pressing the “Properties” button on the top toolbar, going to “Update” tab and pressing the update button for the “Nikto Rules”.




As always, once finished a module output dialog will popup with the output information. So we now have the rules updated and all we need is to popup the target's menu and go to “Gathers->web->nikto” module.
A small dialog will ask for the module required information: Target IP already filled, set Port to 80 and Timeout to 2. Press "Accept" and wait for some time as more that 3000 checks take long to complete... ;-)




As new vulnerabilities are found, they are added to the module output dialog:




Once finished a summary of the results will be added to the dialog and more data to the KB tree, of course:







And more important, the node menu has a new submenu under port 80 with all the vulnerabilities found , just by clicking on each of them, they will be opened on the browser.



False positives are as common as with the real nikto ;-)
Now that we collected more information regarding the target and it's services we can start exploring other graphs by using the graph's context menu.
On those other graphs you can see relations between IP, ports, vulnerabilites, etc... feel free to explore.




Now let's search for exploits for the OpenSSH version we identified on port 22. First we need to download, or update, the exploits so let'g go back to the “Properties” dialog, “Update” tab and press the “Update” button for Exploit DB. Before downloading the exploits, switch thebottom pannel to “Logs” tab to folow the actions performed. This will take some time and make you Hard drive work as there are many exploits to unpack:



Once finished we can go to the “Exploit” tab on the left of the main window where we will be able to manage them. Exploits need some seconds to load.
Once loaded we can fill the “Text to search” entry with the version of OpenSSH we found and press the “Search” button:




To study one exploit in more detail just right click on it and the inguma's editor will popup with the code of the selected exploit:



Actually we didn't found an exploit for this version but we can also search for the HTTP server, the OS, etc... if happen that we find a working one, just look at the path column, create a new terminal by pressing the “New Tab” button at the “Term” tab at the left of the main window, and go to this path to execute the exploit.



Automation of this search by adding an option on the node's menu is work in progress, as is to open the terminal in the adecuate directory on double clicking one exploit.
Finally press “Save” button at the top toolbar if you want to save the actual work for the future.
There is much more that inguma has to offer but for knowing all the details you will have to read the whole documentation.

No comments:

Post a Comment