1 / 18

A Discussion In Penetration Testing

A Discussion In Penetration Testing. Marcial White. Introduction. Definition of “Hacker” White Hat vs. Black Hat Open Source Methodologies. Penetration Testing Concepts. What is a penetration test? Public Image Border Networks Interior Networks What do they produce?

dirk
Download Presentation

A Discussion In Penetration Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Discussion In Penetration Testing Marcial White

  2. Introduction • Definition of “Hacker” • White Hat vs. Black Hat • Open Source • Methodologies

  3. Penetration Testing Concepts • What is a penetration test? • Public Image • Border Networks • Interior Networks • What do they produce? • What don’t they produce? • How extensive are they? • White Box vs. Black Box

  4. Methodology Overview • Footprinting • Search Engine Hacking • Social Engineering • White Box Footprinting • Black Box Footprinting • Network Enumeration • Gaining Access to the Network • Escalating Privileges • Covering Your Tail • Retaining Control • Rogue User Accounts • If All Else Fails … • Some Defenses

  5. Google Hacking • Zero-footprint profiling of the target • Start with the simple stuff • Company Name • Do popularity searches on the people you find in the first search • Look for important looking people • A full list of operators available at • http://www.google.com/help/operators.html • http://johnny.ihackstuff.com • For example, “filetype:txt inurl:robots site:whitehouse.gov “

  6. Social Engineering • “The practical application of sociological principles to particular social problems”(http://www.dictionary.com) • “the practice of obtaining confidential information by manipulation of legitimate users” (Wikipedia) • Examples: Lord Nikon and Cereal Killah from Hackers (the most realistic hacking movie ever). • Relying on people not reading the EULAs – the Microsoft PLUS! Scheme. • Kevin Mitnick: The Art of Deception & The Art of Intrusion

  7. White Box Footprinting • Consult the existing network diagram • Scan the network • Compare results • Find running services • Find live hosts • fping, ICMPenum, Ethereal • Record hops between an interior host and the border of the network (traceroute) • WhoIs

  8. Black Box Footprinting • What do you know? • Most get a single IP to start with • Find out what you can on that IP • WhoIs it? • http://www.centralops.net • http://www.samspade.org • NSLookup • Visual Route • Email Tracker PRO (wooptyfriggindo) • Often times more systems will be found than were reported. Document everything.

  9. Enumerate the Network • Overlaps a bit of the footprinting … • NMap is your friend • XMAS Scan • nmap –sX host.com • A successful XMAS scan will find one of two things • A closed port on a host will reply with RST • Open ports will lay conspicuously silent. • Fe3d for documentation • nmap –oX filename.xml host.com

  10. Nmap XMAS Scan

  11. Fe3d

  12. Gaining Access … • Sniff passwords with a protocol analyzer • Ethereal • Etherpeek • TCPDump • Snort • Nessus • NASL • NT Info Scan • ReadSMB

  13. Escalating Privileges • Be SILENT! • Brute Force Tools • John The Ripper • Cain and Abel • L0phtCrack • Trojan\Back doors • Netbus “Remote Administration and Spy Tool” • Man in the Middle Attacks • Inherent TCP/IP flaws • Three Way Handshakes • Packet Headers • ARP • Ettercap

  14. Unix\Linux rhosts files • Usually located at ~/.rhosts • Recommended permissions: 600 + HostName -HostName +@NetGroup -@NetGroup • Also of interest: /etc/host.equiv • Allows remote machines to execute commands on the local machine • Windows LSA Secrets • Older Windows machines (NT 3.51 – 4.0) • Dumps various LSA secrets such as service passwords (plain text), cached password hashes of the last users to login to a machine, FTP, WEB, etc. plaintext passwords, RAS dial up account names, passwords etc, workstation passwords for domain access, etc.

  15. Covering your tail • It’s all in the configuration • Command history • ftp/telnet/ssh/etc logs • Dynamically generated routing tables • Logging daemons • klogd • metalog • Look in /var/log/, /etc/, /usr/bin • Hide your tools • Hidden files • Obscure naming convention • *nix • /.rootkits • Veto files • Burying the files • *doze: • Hidden system files • Burying the files

  16. Keeping your doors open • Creating rogue user accounts • Permissions • RWXRWXRWX • Groups • Creating accounts called “tty” • Windows Administrator • Retaining control • cron jobs • Keyloggers • Regload • LKL

  17. Still can’t get in? • Denial of service? • Yes! …. I mean, no! • Resource Consumption • Attempts to use finite resources (memory, CPU, file handling) • Poor programming • Vulnerable variables, which usually lead to more serious vulnerabilities • Ex: “The Register” HTML variables (exposed to phishing attacks http://wheresthebeef.co.uk/show.php/xss/clicknbuild.html)

  18. Conclusion • … people suck. • Do your homework. • Be cool. Stay in school. • Questions? • marwhit1@uat.edu

More Related