Mapping the Pen Tester`s Mind
Download
Report
Transcript Mapping the Pen Tester`s Mind
Mapping The Penetration Tester’s Mind
0 to Root in 60 Min
#MappingThePenTestersMind
1
1 Introduction
2 Methodology
3 Tools
4 Technical Walkthrough of Testing
5 Further Learning
6 Questions
2
Who is this guy in front of me??
GOOD Question
Background:
• Penetration Tester for 12 years
• Network Engineer for 13 years
• In IT for 15 years
• Regulatory Technology Tester 5 years
• Specializes in mobile technologies and communications
• Social Engineering
• Physical Security
3
Who is this guy in front of me??
Talks:
• NotACon
• Secure360
• SecurityBSides
• Chicago
• Rochester
• Dallas-Fort Worth
• Los Angeles
• Las Vegas
• DeepSec
• SecTor
• ISSA / ISSACA Meetings
• Hacker Space Invitationals
4
Who is this guy in front of me??
Publications:
• “Mapping The Penetration Tester’s Mind: An Auditors Introduction to PenTesting” (Book)
– Late 2012
•
“Mapping The Penetration Tester’s Mind: An Auditors Introduction To PenTesting”
(Presentation) – 2012
•
“Mapping The Penetration Tester’s Mind: 0 to Root in 60 Min” - 2012
•
“Weaponizing The Smartphone – Protecting Against The Perfect WMD” – 2011
•
“Weaponizing The Smartphone – Deploying The Perfect WMD” – 2011
•
“Don’t Bit The ARM That Feeds You – Integrating Mobile Technologies Securely Into
Mature Security Programs” – 2011
•
“Bond Tech – I Want More Than Movie Props” - 2011
5
INTRODUCTION
•
6
What is a penetration test?
– A penetration test, occasionally pentest, is a method of
evaluating the security of a computer system or network
by simulating an attack from malicious outsiders (who do
not have an authorized means of accessing the
organization's systems) and malicious insiders (who have
some level of authorized access). The process involves an
active analysis of the system for any potential
vulnerabilities that could result from poor or improper
system configuration, both known and unknown
hardware or software flaws, or operational weaknesses in
process or technical countermeasures. This analysis is
carried out from the position of a potential attacker and
can involve active exploitation of security vulnerabilities.
wikipedia
INTRODUCTION
•
7
Penetration tests are valuable for several reasons:
– Determining the feasibility of a particular set of attack vectors
– Identifying higher-risk vulnerabilities that result from a combination
of lower-risk vulnerabilities exploited in a particular sequence
– Identifying vulnerabilities that may be difficult or impossible to
detect with automated network or application vulnerability scanning
software
– Assessing the magnitude of potential business and operational
impacts of successful attacks
– Testing the ability of network defenders to successfully detect and
respond to the attacks
– Providing evidence to support increased investments in security
personnel and technology
Wikipedia
INTRODUCTION
•
Testing Types
– White Box Testing
• In penetration testing, white-box testing refers to a
methodology where an ethical hacker has full
knowledge of the system being attacked. The goal of
a white-box penetration test is to simulate a
malicious insider who has some knowledge and
possibly basic credentials to the target system.
– Black Box Testing
• In penetration testing, black-box testing refers to a
methodology where an ethical hacker has no
knowledge of the system being attacked. The goal of
a black-box penetration test is to simulate an
external hacking or cyber warfare attack.
wikipedia
8
1 Introduction
2 Methodology
3 Tools
4 Mapping The PenTester’s Mind
5 Further Learning
6 Questions
9
METHODOLOGY
10
METHODOLOGY
Reconnaissance
– Using non-intrusive methods to enumerate
information about the network under test. DNS,
Whois and Web searching are used.
– Objective:
• To enumerate the target organization's “Internet
Footprint”, which represents the sum of all active IP
addresses and listening services and to identity potential
vulnerabilities
11
METHODOLOGY
Network Surveying & Vulnerability Scanning
– This is the process of refining the target list
produced during the passive reconnaissance phase
by using more intrusive methods such as port
scanning, service and OS fingerprinting, and
vulnerability scanning. Nmap, Nexpose and other
scanning tools are used.
– Objective:
• To obtain visibility in the network; Determining which
devices are targets and enumerating possible threats to the
network.
12
METHODOLOGY
Vulnerability Research & Verification
– In this phase, a vulnerability scanner is run against
the devices gathered in previous phases.
– Objective:
• To take knowledge gathered in previous phases, check for
known vulnerabilities and configuration error.
– Objective:
• To obtain access to services and devices that are not
available through configuration error and vulnerability
exploitation.
13
METHODOLOGY
• Password Attacks
– Services with authenticated logins are tested
against a username and password list created in
previous phases.
– Objective:
• To verify password policies, best practices, and complexity
requirements are in use and properly enforced.
14
METHODOLOGY
•
Reporting and Analysis
– In this phase, an analysis of the results found during the
automated and manual aspects of the assessment.
– Objective:
• To build a deliverable containing the greatest risks to
the organization being testing.
15
1 Introduction
2 Methodology
3 Tools
4 Mapping The PenTester’s Mind
5 Further Learning
6 Questions
16
TOOLS
17
1 Introduction
2 Methodology
3 Tools
4 Mapping The PenTester’s Mind
5 Further Learning
6 Questions
18
Mapping The PenTester’s Mind
Who should do the
test?
19
Mapping The PenTester’s Mind
• Interview the vendor AND the Tester
• Experience Levels of the Tester
– Free range
– Enterprise class
• Know the data retention policy
• Create a relationship with your tester
– they are your guide not only an employee or consultant
20
Mapping The PenTester’s Mind
SOWs & SCOPE
21
Before you begin…
• The single most important thing to have when
performing a penetration test is permission
• The second is a clear scope for your testing
• Then…
– Identify any testing restrictions such as black outs
or DoS attacks
– Discuss real-time disclosures of immediate risks
– Establish an emergency escalation process in the
event the testing goes awry
22
Watch out!
• Don’t assume that everyone is aware of your testing.
Many times the proper staff is not notified of ongoing testing until it is too late
• Be careful when impersonating real third party
companies
• Verify IP typos during testing
• Get permission if you are going to poke a vulnerable
box that is out of scope
23
Mapping The PenTester’s Mind
DISCOVER TARGETS
24
NMAP
25
Metasploit Scanning
26
Metasploit Scanning
27
Mapping The PenTester’s Mind
VULNERABILITY
ASSESSMENT
28
Nexpose Scanning
29
Nexpose Scanning
30
Mapping The PenTester’s Mind
MAN IN THE MIDDLE
31
EXECUTE ARP POISON
32
Mapping The PenTester’s Mind
EXPLOITATION
33
Mapping The PenTester’s Mind
• Low Hanging Fruit
• Think outside the box
• Exploitation does not always require there to be a
technical vulnerability
• Leverage the Human Factor
• Administrators want things to be easy to support
34
MS08-067
35
MS08-067
36
Mapping The PenTester’s Mind
37
Mapping The PenTester’s Mind
38
Mapping The PenTester’s Mind
CREDENTIAL
AND
HASH
COLLECTION
39
COLLECTING CREDENTIALS – HTTP/HTTPS
40
COLLECTING CREDENTIALS - SMB
41
Mapping The PenTester’s Mind
42
Mapping The PenTester’s Mind
43
Mapping The PenTester’s Mind
44
Mapping The PenTester’s Mind
PASS-THE-HASH
(NOT THAT KIND)
45
Mapping The PenTester’s Mind
46
Mapping The PenTester’s Mind
47
Mapping The PenTester’s Mind
48
Mapping The PenTester’s Mind
49
PSEXEC WITH A LOCAL ACCOUNT HASH
50
PSEXEC WITH A LOCAL ACCOUNT HASH
51
CREATE LOCAL ADMINISTRATOR ACCOUNT
52
REMOTE DESKTOP VIA RAPID7 LOCAL ADMIN
53
Mapping The PenTester’s Mind
LOCAL ADMIN…
MEH, THAT’S NOT
MY DOMAIN
54
Mapping The PenTester’s Mind
INCOGNITO
55
Mapping The PenTester’s Mind
56
Mapping The PenTester’s Mind
57
Mapping The PenTester’s Mind
58
Mapping The PenTester’s Mind
59
Mapping The PenTester’s Mind
60
Mapping The PenTester’s Mind
61
Mapping The PenTester’s Mind
62
Mapping The PenTester’s Mind
63
Mapping The PenTester’s Mind
64
Mapping The PenTester’s Mind
65
Mapping The PenTester’s Mind
66
Mapping The PenTester’s Mind
67
Mapping The PenTester’s Mind
PSEXEC
68
PSEXEC WITH DOMAIN ADMIN ACCOUNT
69
SESSIONS CREATED WITH CREATED DOMAIN ADMIN
70
COMPLETE DOMAIN CONTROL
71
Mapping The PenTester’s Mind
MY HARDWARE IS
SAFE RIGHT??
72
NETWORK HARDWARE ACCESS – SSH SESSIONS
73
LOCAL ACCESS
I trust ALL of my
contractors…
74
BOOT FROM USB
75
BOOT TO UNAUTHORIZED OS
76
MOUNT AND ACCESS LOCAL HARDDRIVE
77
REPLACE Sethc.exe
78
SYSTEM LEVEL CMD PROMPT ON LOGIN SCREEN
79
1 Introduction
2 Methodology
3 Tools
4 Mapping The PenTester’s Mind
5 Further Learning
6 Questions
Further Learning
• www.offensivesecurity.com/metasploit-unleashed
• community.Rapid7.com
• SecurityBSides.com < WOOT WOOT!!
• Metasploit: The Penetration Tester's
Guide
• by David Kennedy, Jim O'Gorman,
Devon Kearns, Mati Aharoni
• Local DC (DefCon) Groups &
Meetings
• Local Hackerspaces
81
Mapping The PenTester’s Mind
Taking a step by step approach
makes the expansiveness of a
network becomes very narrow and a
single vulnerability can lead to a
larger problem.
82
1 Introduction
2 Methodology
3 Tools
4 Mapping The PenTester’s Mind
83
5
Further Learning
6
Questions
Questions?
Kizz MyAnthia – Nick D.
Senior Penetration Tester
E-mail: [email protected]
Website: www.KizzMyAnthia.com
Twitter: @Kizz_My_Anthia
www.metasploit.com
www.rapid7.com
www.SecurityBSides.com
84