330 likes | 513 Views
Basic Expectations and Performance. B usiness of Penetration Testing. Disclaimer. Hacking is illegal and should not be performed. This presentation does not condone or approve of hacking in any way.
E N D
Basic Expectations and Performance Business of Penetration Testing
Disclaimer • Hacking is illegal and should not be performed. This presentation does not condone or approve of hacking in any way. • Penetration Testing is an agreed form of audit between two parties and should be bound in writing defining the scope and nature of what is to be audited. • This presentation is solely for academic and educational purposes only.
What will be covered • Initial planning of the audit • External Scanning/Footprinting • Internal Scanning • Vulnerability Assessment • John the Ripper usage • Metasploit basics • Post-audit reporting
What is Penetration Testing • Type of audit to assess security of a system • Provides feedback to the stakeholder what their security posture is like • Enumerates weaknesses and gives countermeasures/suggestions to strengthen
Planning an Audit • Penetration Test may be included in a scheduled audit or independently • May be announced or unannounced • Define the scope • Decide who will perform the audit • Conflict of interest • Non-trusted party
Client-side Negotiations • Ensure the scope is clearly understood by both parties • Understand what the auditors are capable of testing • Certified? • As the client negotiating, remain in control • Get bids- Gives a good comparison of prices
Auditor-side Negotiations • Understand your responsibility to the client • Your access/attempted access will be privileged • Try to be as non-invasive as possible unless given permission • Sometimes a proof-of-concept is all that’s needed • The client expects a report. Ensure deliverables are agreed on
Beginning the Audit • Business is at stake, know when to begin • Remember that this is an audit and that every activity must be documented • External activity is not exempt from documentation. • Keep a mindset as if you were collecting evidence • Prepare your tools • Run updates on your software • Pack extra batteries
Logistical Planning • Planning is crucial for every step taken • Plan to meet • Plan for introductions • Plan for the surprise attacks • Plan for the unexpected • Plan to introduce presence to the unsuspecting • In cases of unannounced audits, special actions may need to have preparations in case caught or blown cover
External Port Scanning • Port scanning from the internet is simple • Need the public IP Address for the company • Run a port scanner (NMAP) with options and discover what port are open. • If a known port is found, scripts are good at discovering the security state of that port. • Scripts that are available online can be a huge threat since anyone can use them.
Email Tracing • Look at email traces. • Provides IP Addresses to mail servers • IP Addresses can lead to more destinations on the internet for scanning and profiling • Down side • IP Addresses can lead to web hosted email services • Sometimes the PTR’s can lead to a host with a robust firewall as a dead end.
Web Site Profiling • Web site can give good information when looking for emails, executives, and technical staff. • Excellent for social engineering attempts. • If there are interactive web pages, further research can uncover exploitable items (XSS,web injections, or simple valid queries)
Internal Testing • Depends on the scope and plan • Performing undercover scans and testing is best done before introducing to the unsuspecting. • Good time to also social engineer, test policies, and scan wireless • Test policies for information control • Use kismet or other wireless scanner
Internal Testing • After presence is known, ensure the IT staff knows what type of testing will be performed, expectations of event logs, and NOT to adjust security posture during the audit.
Begin Scanning • Survey the network in any case whether you know the network diagram or are blind testing • Scans include all devices on the network, their Operating System, open ports, and services running • If feasible, look for open access ports to the network in discreet areas. • Ideal for placing your own wireless access points
Network Scans • Try the low hanging fruit • Check network places and shared drives for unrestricted access. • Copy machines may have onboard hard drives with file sharing • Users may know enough to be dangerous sharing folders
NMAP • Network scanner • Identifies devices and Operating Systems • More quiet than pinging devices • Uses the REQ,ACK,SYN for communications • Returns open ports and has options for more stealthy operations on a sensitive network
Vulnerability Scanners • Nessus • Free for personal use • Linux can use apt-get • Windows can download • Requires registration before usage • openVAS • Spin off of Nessus • http://www.openvas.org/
Nessus • Enumerates vulnerabilities per device • Web GUI provides easy usage and real-time enumerations • Works with Metasploit to provide a scan and attempt at known vulnerabilities • Requires database for saving Nessus scans • Use the “Search” in Metasploit to find modules relating to scans to begin probing
John the Ripper • Offline password cracker • Used on SAM dumps, LANMAN, most types of password hashes • Can also be used to generate mangled wordlists for uses with other tools. • Know the how to write rules in john.conf file • Output file can be in a txt format • Remember the john.pots file
Medusa or Hydra • Online password cracking • Great for dictionary attacks (wordlists) • Best if used on known open ports • Wordlists can be found online and mangled with JTR for more complex P@55w0rds!
Pointers When Using Tools • Read any precautionary comments before starting. Some exploits could cause damage to databases or resources costing your client money • Try not to use client’s network to do quick research, it could contaminate results • Advise IT staff of certain network loading tests and log expectations • Ask, when in doubt if a critical resource is discovered vulnerable, about exploiting • Proof-of-concept may be all that is needed
Metasploit • Metasploit is an open source platform • supports vulnerability research • exploit development • creation of custom security tools • Included in BackTrack distributions • Recommend intense training to master • Metasploitable VM download
What is Happening... • Known vulnerability occurs in victim • Related exploit is set in Metasploit • Options are configured for the victim • Payloads are viewed and selected • Payloads are what the attacker wishes to happen • Exploit occurs causing the victim process to crash • Payload is triggered
Pushing Greater Limits • Metasploit offers much more than the scope of this presentation • Fuzzing protocols like IMAP and TFTP • Writing fuzzers can become the first step to creating new exploits • Good for protocols on the network that have no known module • Password sniffing on the wire • Creating backdoors to maintain access
Wrapping Up The Audit • Check for any open activities • Confer with IT staff that all network activity is normal • Ensure all documentation is collected
Post-Audit • Generate documentation of all work performed • Official audit report to the client • Should incorporate summaries, details, and exhibits • Include screenshots and pictures taken • Describe details of each action and what threat it presents
Presentation • In most cases, a brief presentation to client and selected staff will be performed • Include most significant threats discovered and solutions • Emphasize the impact of all negative findings to the business • Include positive notes where security was solid
Post-Audit Report • Audit report is a confidential document to the client • It is an official report that will be integrated into reports of other audits for that client • Use encryption if delivering by email • Exercise infosec in all cases regardless of method used for communications • Be thorough, use passive writing, use pictures
In Conclusion • Instill confidence in your client and yourself • Know your capabilities and limits, personally and legally • Perform a thorough audit documenting as you go • Sharpen and research tools • Deliver solid feedback and suggestions
References & Research Sites • http://www.offensive-security.com/metasploit-unleashed/Main_Page • http://www.openwall.com/john/ • http://www.openwall.com/john/doc/RULES.shtml • http://thc.org/thc-hydra/ • http://www.foofus.net/~jmk/medusa/medusa.html • http://www.tenable.com/products/nessus • http://nmap.org/ • http://www.backtrack-linux.org/ • https://www.owasp.org/index.php/Main_Page