to Presentation Slides
Download
Report
Transcript to Presentation Slides
Basic Expectations and Performance
Hacking is illegal and should not be
performed. This presentation does not
condone or approve of hacking in any way.
Penetration Testing is an agreed form of audit
between two parties and should be bound in
writing defining the scope and nature of what
is to be audited.
This presentation is solely for academic and
educational purposes only.
Initial planning of the audit
External Scanning/Footprinting
Internal Scanning
Vulnerability Assessment
John the Ripper usage
Metasploit basics
Post-audit reporting
Type of audit to assess security of a system
Provides feedback to the stakeholder what
their security posture is like
Enumerates weaknesses and gives
countermeasures/suggestions to strengthen
Penetration Test may be included in a
scheduled audit or independently
May be announced or unannounced
Define the scope
Decide who will perform the audit
▪ Conflict of interest
▪ Non-trusted party
Ensure the scope is clearly understood by
both parties
Understand what the auditors are capable of
testing
Certified?
As the client negotiating, remain in control
Get bids- Gives a good comparison of prices
Understand your responsibility to the client
Your access/attempted access will be
privileged
Try to be as non-invasive as possible unless
given permission
Sometimes a proof-of-concept is all that’s needed
The client expects a report. Ensure
deliverables are agreed on
Business is at stake, know when to begin
Remember that this is an audit and that every
activity must be documented
External activity is not exempt from
documentation.
Keep a mindset as if you were collecting evidence
Prepare your tools
▪ Run updates on your software
▪ Pack extra batteries
Planning is crucial for every step taken
Plan to meet
Plan for introductions
Plan for the surprise attacks
Plan for the unexpected
Plan to introduce presence to the
unsuspecting
▪ In cases of unannounced audits, special actions may
need to have preparations in case caught or blown cover
Port scanning from the internet is simple
Need the public IP Address for the company
Run a port scanner (NMAP) with options and
discover what port are open.
If a known port is found, scripts are good at
discovering the security state of that port.
Scripts that are available online can be a huge
threat since anyone can use them.
Look at email traces.
Provides IP Addresses to mail servers
IP Addresses can lead to more destinations on the
internet for scanning and profiling
Down side
IP Addresses can lead to web hosted email
services
Sometimes the PTR’s can lead to a host with a
robust firewall as a dead end.
Web site can give good information when
looking for emails, executives, and technical
staff.
Excellent for social engineering attempts.
If there are interactive web pages, further
research can uncover exploitable items
(XSS,web injections, or simple valid queries)
Depends on the scope and plan
Performing undercover scans and testing is
best done before introducing to the
unsuspecting.
Good time to also social engineer, test
policies, and scan wireless
Test policies for information control
Use kismet or other wireless scanner
After presence is known, ensure the IT staff
knows what type of testing will be
performed, expectations of event logs, and
NOT to adjust security posture during the
audit.
Survey the network in any case whether you
know the network diagram or are blind
testing
Scans include all devices on the network,
their Operating System, open ports, and
services running
If feasible, look for open access ports to the
network in discreet areas.
Ideal for placing your own wireless access points
Try the low hanging fruit
Check network places and shared drives for
unrestricted access.
▪ Copy machines may have onboard hard drives with file
sharing
▪ Users may know enough to be dangerous sharing
folders
Network scanner
Identifies devices and Operating Systems
More quiet than pinging devices
Uses the REQ,ACK,SYN for communications
Returns open ports and has options for more
stealthy operations on a sensitive network
Nessus
Free for personal use
Linux can use apt-get
Windows can download
Requires registration before usage
openVAS
Spin off of Nessus
http://www.openvas.org/
Enumerates vulnerabilities per device
Web GUI provides easy usage and real-time
enumerations
Works with Metasploit to provide a scan and
attempt at known vulnerabilities
Requires database for saving Nessus scans
Use the “Search” in Metasploit to find
modules relating to scans to begin probing
Offline password cracker
Used on SAM dumps, LANMAN, most types
of password hashes
Can also be used to generate mangled
wordlists for uses with other tools.
Know the how to write rules in john.conf file
Output file can be in a txt format
Remember the john.pots file
Online password cracking
Great for dictionary attacks (wordlists)
Best if used on known open ports
Wordlists can be found online and mangled
with JTR for more complex P@55w0rds!
Read any precautionary comments before
starting. Some exploits could cause damage to
databases or resources costing your client
money
Try not to use client’s network to do quick
research, it could contaminate results
Advise IT staff of certain network loading tests
and log expectations
Ask, when in doubt if a critical resource is
discovered vulnerable, about exploiting
Proof-of-concept may be all that is needed
Metasploit is an open source platform
supports vulnerability research
exploit development
creation of custom security tools
Included in BackTrack distributions
Recommend intense training to master
Metasploitable VM download
Known vulnerability occurs in victim
Related exploit is set in Metasploit
Options are configured for the victim
Payloads are viewed and selected
Payloads are what the attacker wishes to happen
Exploit occurs causing the victim process to
crash
Payload is triggered
Metasploit offers much more than the scope
of this presentation
Fuzzing protocols like IMAP and TFTP
▪ Writing fuzzers can become the first step to creating
new exploits
▪ Good for protocols on the network that have no known
module
Password sniffing on the wire
Creating backdoors to maintain access
Check for any open activities
Confer with IT staff that all network activity is
normal
Ensure all documentation is collected
Generate documentation of all work
performed
Official audit report to the client
Should incorporate summaries, details, and
exhibits
Include screenshots and pictures taken
Describe details of each action and what threat it
presents
In most cases, a brief presentation to client
and selected staff will be performed
Include most significant threats discovered and
solutions
Emphasize the impact of all negative findings to
the business
Include positive notes where security was solid
Audit report is a confidential document to the
client
It is an official report that will be integrated
into reports of other audits for that client
Use encryption if delivering by email
Exercise infosec in all cases regardless of
method used for communications
Be thorough, use passive writing, use pictures
Instill confidence in your client and yourself
Know your capabilities and limits, personally
and legally
Perform a thorough audit documenting as
you go
Sharpen and research tools
Deliver solid feedback and suggestions
http://www.offensive-security.com/metasploitunleashed/Main_Page
http://www.openwall.com/john/
http://www.openwall.com/john/doc/RULES.sht
ml
http://thc.org/thc-hydra/
http://www.foofus.net/~jmk/medusa/medusa.ht
ml
http://www.tenable.com/products/nessus
http://nmap.org/
http://www.backtrack-linux.org/
https://www.owasp.org/index.php/Main_Page