Tips for an Information Security Analyst/Pentester career - Ep 70- Automating large pentests (EyeWitness and Sparta)

I've been working as a professional pentester for a while by now and I recently started dealing with pretty large engagements.

My manual methods didn't work so well for these specific situations and  I had to implement solutions to automate and speed up scans and process their results faster, so I could move into the validation/exploitation and then reporting stage earlier.

In this post, I'm going to discuss about two such tools: EyeWitness and Sparta.

In a coming post, I'll deal with Metasploit database functionality and integration with Nmap, that can deliver amazing results, too, for this purpose.

EyeWitness

 

The first step is to perform an Nmap scan on the target network.

 

Command used:

 

nmap -sS -sV -T4 -A -Pn -p- -vv -iL /root/targets.txt -oA /root/homescan/
 

Command breakdown: 

• -sS: Stealth scan (it doesn't complete the 3-way handshake, like the connect scan does)
• -sV: Service versioning
• -T4: Aggressive timing parameter. T can have values 0 through 5, but with -T5 you may end up missing ports. -T4 is a very good compromise between speed and inclusiveness.
• -A: Aggressive fingerprinting (enables OS detection, version detection, script scanning, and traceroute)
• -Pn: Treat all hosts as online -- skip host discovery (useful for firewall evasion)
• -p-: Scan all ports. By default, Nmap only scans the first 1000 ports.
• -vv: Verbose (level 2). I recommend using verbosity for large scans. With its default options, Nmap doesn't return any output until the scan is completed, which can make you think it might not be working. Verbosity options provide more output and may contribute to clarifying what's going on. You can increase verbosity level one (-v) through five (-vvvvv).

• -iL: Input from list of hosts/networks. I created a list of targets as an input for the command. This list is often created by performing a ping sweep (-sP).
• -oA (filepath/filename): Output in the three major formats (normal Nmap, greppable Nmap and XML) at once.

 

 

Using the XML Nmap output file created through the previous step (found in /root/homenetwork/homescan.xml), we can screenshot the system with EyeWitness.

 

EyeWitness installation:

If EyeWitness isn't installed already on your system, you can install it through the following command: git clone https://github.com/FortyNorthSecurity/EyeWitness.git

Should the above command return git: command not found on your system, you need to first install git by running (sudo) apt install git -y.

 

Note: you need sudo only if you're not the root user. If you're not root and you don't have write permissions to the /root directory, you might need to change the path from /root to your /home directory.

 

The git clone command will clone all eyewitness online repositories to a local directory on your system, called EyeWitness/Python.

 

So, cd  to that directory and then cd  to install.

 

From there, run the setup.sh script.

 

At that point, your EyeWitness install will be up and running.

 

Creating a screenshot of the system with EyeWitness:

 

We'll run the following command from the /root/EyeWitness/Python directory (in other words, cd to that directory first):

 

python EyeWitness.py  -x /root/internal_scan/homenetwork.xml --active-scan --web -d eyewitness-localnet

 
Command breakdown:

-x Filename.xml: Nmap XML or .Nessus file (input)

--active-scan: Performs live login attempts to identify credentials or login pages.

 

--web: HTTP Screenshot using Selenium (other protocol options include -rdp, -vnc and –all-protocols). I'd recommend to run a separate scan for each individual protocol, for clarity's sake.

 

-d Directory Name: Directory name for report output (if the directory indicated doesn't yet exist, it will be created).

 

Output:

The command attempts to screenshot all webservers found, and to login to them and it eventually generates a report, in a very fast and effective way.

The report will be provided in HTML format and is very handy and straightforward, which is especially important when a large number of hosts is involved in the pentest.

Sparta 

Sparta is another very handy automation tool.

Other than being very useful in large engagements, is also allowed in the OSCP exam (I personally asked OffSec this question).

Installation

Sparta can be installed through the git clone https://github.com/secforce/sparta.git  command.

Usage

If we feed it the XML file generated by Nmap over the first stage, Sparta will perform a series of scans both with Nmap and tools like Unicornscan, Nikto and Dirbuster.

Once we have some open ports, by right-clicking on one of the services running on them and pressing down SHIFT, we can also access additional tools, such as enum4linux and other enumeration and exploitation tools.

Sparta can't compete with Metasploit as to automation capabilities, as we'll see in the next post.

However, it can be very handy. 

I personally like the fact I can export a Sparta project and give it to my coworkers.

So, if they want to jump in the same project I'm working on and help out, they can copy the project to their machine, import it to their Sparta and they'll view the same things I can see in my VM, along with what I did so far.

Wrap-up

I often insisted on the concept a pentester should avoid relying too much on automated tools and develop a deeper sensitivity to vulnerable services by using manual exploits.

Though this principle is very important, automation can’t be avoided and is very desirable for large pentests, especially when they have to be performed over a short time frame.