Transcript Penetration Testing Presentation

A Discussion In
Penetration Testing
Marcial White
Introduction
•
•
•
•
Definition of “Hacker”
White Hat vs. Black Hat
Open Source
Methodologies
Penetration Testing Concepts
• What is a penetration test?
– Public Image
– Border Networks
– Interior Networks
• What do they produce?
– What don’t they produce?
• How extensive are they?
• White Box vs. Black Box
Methodology Overview
• Footprinting
–
–
–
–
•
•
•
•
•
Search Engine Hacking
Social Engineering
White Box Footprinting
Black Box Footprinting
Network Enumeration
Gaining Access to the Network
Escalating Privileges
Covering Your Tail
Retaining Control
– Rogue User Accounts
• If All Else Fails …
• Some Defenses
Google Hacking
• Zero-footprint profiling of the target
• Start with the simple stuff
– Company Name
• Do popularity searches on the people you find in the first
search
• Look for important looking people
• A full list of operators available at
– http://www.google.com/help/operators.html
• http://johnny.ihackstuff.com
• For example, “filetype:txt inurl:robots
site:whitehouse.gov “
Social Engineering
• “The practical application of sociological principles
to particular social problems”
(http://www.dictionary.com)
• “the practice of obtaining confidential information
by manipulation of legitimate users” (Wikipedia)
• Examples: Lord Nikon and Cereal Killah from
Hackers (the most realistic hacking movie ever).
• Relying on people not reading the EULAs – the
Microsoft PLUS! Scheme.
• Kevin Mitnick: The Art of Deception & The Art of
Intrusion
White Box Footprinting
• Consult the existing network diagram
• Scan the network
• Compare results
– Find running services
– Find live hosts
• fping, ICMPenum, Ethereal
– Record hops between an interior host
and the border of the network
(traceroute)
• WhoIs
Black Box Footprinting
• What do you know?
– Most get a single IP to start with
• Find out what you can on that IP
• WhoIs it?
–
–
–
–
–
http://www.centralops.net
http://www.samspade.org
NSLookup
Visual Route
Email Tracker PRO (wooptyfriggindo)
• Often times more systems will be found
than were reported. Document everything.
Enumerate the Network
• Overlaps a bit of the footprinting …
• NMap is your friend
– XMAS Scan
• nmap –sX host.com
– A successful XMAS scan will find one of two things
» A closed port on a host will reply with RST
» Open ports will lay conspicuously silent.
– Fe3d for documentation
• nmap –oX filename.xml host.com
Nmap XMAS Scan
Fe3d
Gaining Access …
• Sniff passwords with a protocol
analyzer
•
•
•
•
Ethereal
Etherpeek
TCPDump
Snort
• Nessus
• NASL
• NT Info Scan
• ReadSMB
Escalating Privileges
• Be SILENT!
• Brute Force Tools
• John The Ripper
• Cain and Abel
• L0phtCrack
• Trojan\Back doors
• Netbus “Remote Administration and Spy Tool”
• Man in the Middle Attacks
• Inherent TCP/IP flaws
– Three Way Handshakes
– Packet Headers
– ARP
» Ettercap
• Unix\Linux rhosts files
• Usually located at ~/.rhosts
» Recommended permissions: 600
+
HostName
-HostName
+@NetGroup
-@NetGroup
• Also of interest: /etc/host.equiv
» Allows remote machines to execute
commands on the local machine
• Windows LSA Secrets
• Older Windows machines (NT 3.51 – 4.0)
• Dumps various LSA secrets such as service
passwords (plain text), cached password hashes of
the last users to login to a machine, FTP, WEB, etc.
plaintext passwords, RAS dial up account names,
passwords etc, workstation passwords for domain
access, etc.
Covering your tail
•
•
•
•
•
It’s all in the configuration
Command history
ftp/telnet/ssh/etc logs
Dynamically generated routing tables
Logging daemons
• klogd
• metalog
» Look in /var/log/, /etc/, /usr/bin
• Hide your tools
• Hidden files
• Obscure naming convention
• *nix
» /.rootkits
» Veto files
» Burying the files
• *doze:
» Hidden system files
» Burying the files
Keeping your doors open
• Creating rogue user accounts
• Permissions
» RWXRWXRWX
» Groups
» Creating accounts called “tty”
• Windows Administrator
• Retaining control
• cron jobs
• Keyloggers
» Regload
» LKL
Still can’t get in?
• Denial of service?
» Yes! …. I mean, no!
• Resource Consumption
» Attempts to use finite resources (memory,
CPU, file handling)
• Poor programming
» Vulnerable variables, which usually lead to
more serious vulnerabilities
» Ex: “The Register” HTML variables (exposed
to phishing attacks
http://wheresthebeef.co.uk/show.php/xss/clicknbuild.html)
Conclusion
• … people suck.
• Do your homework.
• Be cool. Stay in school.
• Questions?
• [email protected]