300 likes | 635 Views
CSIS 3756 Security Design. Mr. Mark Welton. Penetration Testing. Definition, Concepts on Penetration Testing/Hacking What is the difference between Penetration Testing and Vulnerability Assessment What is the difference between Penetration Testing and Hacking Anatomy of a Hack
E N D
CSIS 3756Security Design Mr. Mark Welton
Penetration Testing • Definition, Concepts on Penetration Testing/Hacking • What is the difference between Penetration Testing and Vulnerability Assessment • What is the difference between Penetration Testing and Hacking • Anatomy of a Hack • How does Pentration Testing differ from the Anatomy of a Hack
Definition • Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management. • Using the failure of the system to violate the site security policy is called exploiting the vulnerability • Penetration Testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black HatHacker, or Cracker. – Wikipedia • Penetration Testing is a testing technique for discovering, understanding, and documenting the security holes that can be found in a system. • It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence. • Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects. • What is the difference between penetration testing and hacking/intrusion?
Penetration Testing vs. Vulnerability Assessment • Vulnerability Assessment: • Typically is general in scope and includes a large assessment. • Predictable. ( I know when those darn Security guys scan us.) • Unreliable at times and high rate of false positives. (I’ve got a banner) • Vulnerability assessment invites debate among System Admins. • Produces a report with mitigation guidelines and action items. • Penetration Testing: • Focused in scope and may include targeted attempts to exploit specific vectors (Both IT and Physical) • Unpredictable by the recipient. (Don’t know the “how?” and “when?”) • Highly accurate and reliable. (I’ve got root!) • Penetration Testing = Proof of Concept against vulnerabilities. • Produces a binary result: Either the team owned you, or they didn't.
Penetration Testing vs. Hacking • Pen Tester’s have prior approval from Senior Management • Hackers have prior approval from themselves. • Pen Tester’s social engineering attacks are there to raise awareness • Hackers social engineering attacks are there to trick the DMV into divulging sensitive information about the whereabouts of their estranged ex-spouse. • Pen Tester’s war driving = geeks driving cars with really long antennas, license plate reading “r00t3d” while dying their hair green looking to discover the hidden, unapproved networks your users thought it would be OK to install for you. • Hackers wireless war driving doesn’t happen so often because 14 year olds typically don’t have their license yet. • Pen-testers have pink mohawks and wear trenchcoats in July. • Hackers have pink mohawks and wear trenchcoats.... that they bought with your bank account info.
Footprinting Scanning Enumeration Gaining Access Escalating Privilege Pilferting Covering Tracks Creating Back Doors Denial of Service whois, nslookup Nmap, fping dumpACL, showmountlegion, rpcinfo, Nessus Tcpdump, LophtcrackNAT, Metasploit Johntheripper, getadmin Rhosts, userdata Config files, registry zap, rootkits Cron,at, startup foldernetcat, keystroke loggerremote desktop Synk4, ping of deathtfn/stacheldraht Hacking Methodology (Steps)
Footprinting • Information gathering. Sam Spade is window-based network query tool. • Find out target IP address/phone number range • Why check phone numbers? • Namespace acquisition. Network Topology (visualRoute). • It is essential to a “surgical” attack. • The key here is not to miss any details. • Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of). • Defense: deploy NIDS (snort), RotoRouter
Scanning • Bulk Target assessment • Which machine is up and what ports (services) are open • Focus on most promising avenues of entry. • To avoid being detect, these tools can reduce frequency of packet sending and randomize the ports or IP addresses to be scanned in the sequence. • Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.
Enumeration • Identify valid user accounts or poorly protected resource shares. • Most intrusive probing than scanning step.
Gaining Access • Based on the information gathered so far, make an informed attempted to access the target.
Escalating Privilege • If only user-level access was obtained in the last step, seek to gain complete control of the system.
Pilfering • Webster's Revised Unabridged Dictionary (1913) • Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.] [OF. pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft. • Gather info on identify mechanisms to allow access of trusted systems.
Covering Tracks • Once total ownership of the target is secured, hiding this fact from system administrators become paramount, before they react
Creating Back Doors • Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.
Denial of Services • If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.
Footprinting Footprinting Scanning Scanning Enumeration Enumeration Gaining Access Gaining Access Escalating Privilege Escalating Privilege Pilferting Pilferting Covering Tracks Creating Back Doors Denial of Service How does Penetration testing differ? Hacking Methodology Penetration Testing Methodology
How does Penetration testing differ? • The good guys usually get some small piece of proof and exit as quietly as they came • You have authority to do it
Some Legal issues to consider • First, can you do what you want to do where you want to do it? • Is a war-dial legal against your own systems when going through a central office? • Make sure you are protected with a “Letter of Authority”. • Protect yourself with a “Get out of jail” type letter • Encrypt your data. You don’t want to be liable if your data is compromised
More Lawyer Speak • Watch, and throttle if necessary, your generated network traffic…Think stealth and covert. • Think through your actions before doing them. • Run these tools at your own risk. You are responsible for what you do. • Test them on a stand-alone network with a network sniffer and review the source code • Obtain tools from the source • Verify checksums from multiple sources when applicable
What are your boundaries? • Be as aggressive as you can and work to be creative. Now is when you can use the “thinking out of the box” classes that we’ve taken. • Don’t get tunnel vision • Are you going to do physical penetrations? • Actually trying to break-in, vs • Wandering where you shouldn’t • What about “social engineering”?
More Boundaries to Consider • Application Service Providers (how can you use them?) • Externally hosted resources • Non-company equipment • All need to be addressed with each customer and agree upon.
Coordinating Activities • Identify activities, persons, processes, and events that could affect the penetration test: • Network quiet time • Major upgrades • Layoffs • Strikes • Administrator’s day off • Late at night when the NID monitoring staff is sleeping • Your advantage?
What’s your perspective? • Before proceeding, decide what perspective your team will take during the exercise. • What will the initial level of access and the amount of information be? • Outsider with no previous knowledge • Outsider with insider knowledge (with an inside partner or former insider) • Low level insider (end-user) • High level insider (system or network administrator)
The Authorization Letter • A signed letter from the “appropriate person”. This could be an officer, the CIO, owner, etc. • Includes: • Who will perform the test • When the test will be performed • Why the test is being performed • What types of activities will take place. • Includes targeted systems or locations • Customer contacts for verification • May include reasons to prematurely conclude the test • Request cooperation to minimize notification of your activities • Is legal review of the letter important? • May address liability issues
Premature Termination • Why would you end your test before the allotted time-frame? • Busted! The customer has detected your activities and sounded the alarm • You’ve caused a negative impact such as a network or system outage • You are not the person to successfully gain access • You uncover such a significant vulnerability that you need to alert the system or network administrators • You were slightly off on your IP addresses • You’ve achieved your goal
The Pen-Test Paradox • Remember, in general, success from your perspective does not equal success from your customer’s perspective. • Somebody generally goes home unhappy. • Watch morale issues on your team.
Turning a black-box pen test into a white-box pen test. • Depending on your target, can you obtain a “clone” of the target? • It is often a lot easier to experiment, play, and sometimes destroy a controlled system • For example, based on your finger printing results, you’ll have a pretty good idea of the current configuration. • Configure another machine as a clone • Borrow or buy a clone system
Almostready • You must have a log-book of every activity that everybody does • Electronic or manual, just include the basics of who, what, when, and how. • Linux “script <filename>” command is a great tool to save your logs for each terminal session. Control-D exits and I use a convenient (but long) filename such as exchpt.gm.2003mar04. • Plan your efforts and communicate continuously with team members.
Murphy’s Law • Everything that goes wrong on the target host, network, or on the Internet from two weeks before you plug in to two weeks after you submit the report will be your fault. • Document everything! • Can you script operations to increase efficiency and reduce errors?