One of the most common questions asked by newcomers to our community is, “How do I get started in InfoSec?” This article shows it is not simply a matter of what you do (don’t get me wrong, ability and aptitude is important), but also a matter of who you surround yourself with. In any profession, to create an environment for maximum professional development, you must surround yourself with people that are smarter and more experienced than you. If you’re the smartest and most experienced guy in the room, the level of development you experience will be far less than that of those you are mentoring. That being said, I’ve been doing the infosec thing for a couple of years now, and I’ve always tried to surround myself with the smartest and most experienced people possible. While I’ve been personally gracious to some of those individuals who have helped me along the way, I would like to publicly thank the rest of them now. I’m sure I’ll end up unintentionally leaving someone out, but this is closer to the beginning of my career than the end, so I’m sure there will be many more mentors and many more blog posts like this to make up for anyone I fail to mention here.
Jon Fox - Most of you have not had the pleasure meeting this man, and probably never will, but this man is special. He gave me the opportunity to create and lead something that was above my skill set and out of my comfort zone. He saw potential in me that I simply didn’t see, and through friendship and leadership, developed that potential into the canvas with which I entered the infosec industry. The rest of the individuals listed here helped me to paint that canvas.
Eric Bassel - Some of you may know Eric from the SANS Institute. However, my relationship with Eric goes much deeper. As a friend and mentor, Eric put the priorities of the organizations and people around our professional relationship aside to help me understand what is really important in life. During the most difficult of life decisions, similar to one that Eric had to make in his own life, Eric was there to provide me with sound advice. As a result of his advice, I am happier today than I have ever been.
Mark Baggett (@MarkBaggett) - What can I say, Mark is the absolute smartest man I know, and the best decision I made while working with the Army cyber training program. I am convinced that just being in the room with Mark will make anyone a smarter person, and it definitely did me. If it wasn’t for Mark, I wouldn’t be a part of the PaulDotCom team and I probably would have never started speaking at infosec conferences. Mark was all the brains behind the Volume Shadow Copy stuff we released at Hack3rCon a couple years ago, and I was little more than a cheerleader. Yet he graciously let me take part ownership of his amazing research and present along side of him. Even today Mark continues to mentor me and is always willing to extend a helping hand. Mark is much more than a mentor to me, he is an incredible friend.
Rob Dixon (@304geek) - Got writer’s block? Looking for an idea? This guy’s got’em! So many times during the development of PushPin I leaned on Rob for testing and ideas. Each time, Rob came back with a list of things that totally rocked. The majority of the coolest features built into PushPin are a direct result of Rob’s input. While every time I’ve talked about PushPin I’ve been sure to mention Rob’s contributions, he deserves a larger stage, and I hope he gets it here. We made a great development team, and he was an invaluable asset. I would also me remiss if I didn’t mention Rob’s impact of my single largest achievement, Recon-ng. I mentioned the idea of building a recon framework out of the recon-ng script during my talk at DerbyCon in 2012. Rob approached me afterward and told me about a project that he and another friend, Vitomir Margetic (@NodeZero_Linux), were working on called TunnelRat. TunnelRat is a framework built for network tunneling. I’m not sure if they ever publicly released the project, but I look forward to when they do. They had some really innovative things going there. Rob and Vitomir invited me to be on the dev team for TunnelRat in hopes that we could build the functionality of the recon-ng script into the framework. Very early on in the project, I broke away from the team and created a separate framework because the core functionality of TunnelRat was not conducive to what I was trying to do, but I walked away with my first experience in what a true modular framework looks like in python, and I have those gentlemen to thank. Anyone that is considering building a modular framework in Python should look at this article written by Vitomir. It explains the principal ideas behind TunnelRat modular functionality and one way to do framework development in Python. Another way to create modular frameworks in Python, the technique used in the Recon-ng framework, is to use nested “cmd” class modules. That idea came courtesy of my good friend Mark Baggett (see above).
Chris Gates (@carnal0wnage) - Chris and I had some personality conflicts to work through when we first met many years ago, but we worked through those and Chris became the first person I went to for infosec mentoring. While I was still an Army officer, I watched Chris do his thing against DoD networks with a childlike wonder. It was pure awesomesauce watching him own network after network with grace and modesty. His work intrigued me so much that I couldn’t help but to badger him with questions on how to be like him and grow a skill set like his. He was the first person I approached with the question, “How do I become an infosec professional?” Carnal0wnage is the reason I started blogging and why LaNMaSteR53.com even exists. Even today I lean on him for advice, and he continues to provide.
Former Fellow Red Teamers - When I was a member of the Army Red Team, I was responsible for taking documentation from each of the cells that operated within the team and creating the final deliverables. I absolutely loved my job. I learned so much about the methodology, tools, and techniques of penetration testing just by proofing their reports. Long before I was learning from reading Twitter feeds, blog posts, and magazine articles, I was learning by reading the carnage inflicted on target networks by the best Red Team operators in the biz.
Chris Campbell (@obscuresec) - I don’t know what it is with the name “Chris”, but I’ve had some personality conflicts with this one too. Go figure. At one time, not too long ago, Chris and I were pretty good friends. I can honestly say that most of what I know about owning Windows domains, I learned from Chris. Most of you know Chris by the work he does with PowerShell and Passing-the-Hash. That was a natural transition for Chris. He was our go-to-guy for everything Windows on the Army Red Team. Need a domain popped? This guy can do it. A truly gifted technician.
TJ O’Connor (@ViolentPython) - TJ humbled, and humlbles, me. A brilliant man once asked me, “Can you outperform TJ O’Connor in a hacking competition?” I foolishly replied, “I don’t know TJ O’Connor, but I imagine I could at least hang with him.” buzzer Wrong answer. TJ whipped my arrogant tail and issued me one of my first lessons in infosec humility. But all the while, TJ never once claimed that he could beat me, or that he did beat me. He knew the lesson he had taught me. And it was an important one. Those that know TJ consider him one of the brightest minds in the industry, yet TJ would tell you that you are crazy for even thinking it. That kind of modesty is rare in our industry, and I look to TJ as an example of what right looks like.
Martin Bos (@purehate_) - Many of you are familiar with the verbal salvos that have taken place between Martin and I over the years on Twitter. While we are vastly different and disagree on just about everything, Martin has my utmost respect. Very few people have the passion and guts to be as honest and forthright as Martin is, and people like me who are equally passionate and stubborn need lessons in humility every now and again to keep our egos in check. Martin may not know it, because I’ve probably never said it, but he has taught me some valuable lessons about humility, and has helped me realize places in my personality where I need improvement. For that I am thankful.
My Father - He’s old school, and not the best with computers, but I consider him to be the ultimate hardware hacker. I’ve never see anyone with the level of ingenuity and creativity he has to take ordinary things and do extraordinary things with them. Watching him as I grew up set deep roots in me to want to be like him. To be able to think outside of a seemingly useless object and do something amazing with it. My father is also the one that recognized my aptitude in programming at a very young age. I remember him watching me create batch scripts on an old IBM XT and asking me if I wanted to do more. He got me started with QBasic, introduced me to a man named Ron Davidson who gave me my first lesson on object-oriented and event-driven programming, and bought a new family computer (Packard Bell) so I could begin developing Visual Basic applications. My father is the reason why I am so passionate about code. He has also become my biggest fan, and now looks at me the way I look at him. That is an amazing feeling.
John Strand (@strandjs) - While I’ve not known John all that long, John has become, without a doubt, my strongest mentor. I met John in a SEC560 class in 2010. John noticed something in me, grabbed me by the arm, pulled me aside, and never let go. John watched me as I struggled through 2 jobs that he knew weren’t making me happy or leveraging my potential, providing mentorship and sound advice all along the way. John then took a huge chance on me by hiring me as his first employee as he ventured into company ownership, and I sincerely hope it wasn’t a mistake. John has fostered creativity in me that has lead to pretty much everything I’ve done. PushPin, Recon-ng, HoneyBadger… All of these tools were spawned from seeds that John planted in my mind. Whether or not he intended to, I’m not always certain, but in all cases, John has humbly stood aside and willfully offered me complete ownership of these creations.
Not all of the individuals listed here will read this, and not all of them maintain amicable relationships with me now. However, all of these people have played key rolls in my development to this point and deserve recognition. None of my accomplishments have been achieved alone. I have each of these individuals to thank. Thank you.
As you browse away from this article, remember the importance of surrounding yourself with bright people and being gracious for the mentoring they provide. Look around you. Are you the smartest and most experienced person in the room? If so, it may behoove you to change settings. But never forget that mentoring goes both ways. The only way this industry thrives is by its members simultaneously mentoring and being mentored at all times. There is always someone else in the same position you were in several years ago. Reach out and lift that person up, as those mentioned here lifted me.
Today I ran into a problem that most penetration testers will encounter at some point, and whose solution required a creative approach. Therefore, I’m writing this brief article as a reference for future encounters with stubborn Tomcat servers.
I found an up-to-date Tomcat 7 server with easily guessable credentials and was able to access the Tomcat management console. At this point, compromising the server is usually a done deal. Typically, I would deploy a meterpreter shell via the Remote WAR deployment panel and proceed to pillage and pivot through the server using the SYSTEM level access that Tomcat granted me. However, this Tomcat was running on a fully patched and protected Windows Server 2008 R2 system which made this a bit more challenging.
Once I gained access to a Tomcat management console, I took the standard approach and deployed a meterpreter WAR application to the Tomcat server, but something was preventing meterpreter from exfiltrating the network. Extensive analysis proved that the target network was filtering all egress traffic from the target web server and only allowing outbound traffic for stateful TCP connections. Ingress filtering was also in place, so neither bind nor reverse meterpreter shells were possible against this server.
Next, I attempted to deploy a server side JSP shell and access it via a browser. While a JSP shell is not nearly as powerful as meterpreter, it is a SYSTEM shell nonetheless. The deployment appeared to be successful according to Tomcat, however, all attempts to access the shell via a browser returned 404 errors. The JSP shell was not being created during the deployment process for unknown reasons. Most likely the work of Antivirus software.
I tweeted for suggestions and James Jardine pointed me to a great article and an open source WAR application called filebrowser.war. The technique described in the article worked perfectly. I don’t want to replicate content, so please read the original article for details. Below is an attack summary of the actions I took to compromise the server and surrounding environment after the initial exploitation.
Use the Tomcat management console to deploy the filebrowser.war application
Use the filebrowser application to upload a JSP shell to the filebrowser application directory.
Browser directly to the JSP shell.
Use the JSP shell to:
- Survey the system using various post exploitation commands.
- list volume shadow copies.
- create a volume shadow copy.
- copy the SYSTEM and SAM files from the created shadow copy to the filebrowser application directory.
Use the filebrowser application to:
- download the SYSTEM and SAM files from the server for offline hash extraction with bkhive and samdump2.
- upload mimikatz.exe and sekurlsa.dll to the server.
Use the JSP shell to execute mimikatz and extract the clear text credentials from memory. This must be done in a single command as the mimikatz interactive shell will not work through a non-interactrive web shell.
mimikatz.exe privilege::debug sekurlsa::logonPasswords exit
Pivot and pwn…
Use the Tomcat management console to “stop” and “undeploy” the filebrowser application, destroying all resources in the application’s path.