Transcript to Presentation Slides

Basic Expectations and Performance



Hacking is illegal and should not be
performed. This presentation does not
condone or approve of hacking in any way.
Penetration Testing is an agreed form of audit
between two parties and should be bound in
writing defining the scope and nature of what
is to be audited.
This presentation is solely for academic and
educational purposes only.







Initial planning of the audit
External Scanning/Footprinting
Internal Scanning
Vulnerability Assessment
John the Ripper usage
Metasploit basics
Post-audit reporting



Type of audit to assess security of a system
Provides feedback to the stakeholder what
their security posture is like
Enumerates weaknesses and gives
countermeasures/suggestions to strengthen




Penetration Test may be included in a
scheduled audit or independently
May be announced or unannounced
Define the scope
Decide who will perform the audit
▪ Conflict of interest
▪ Non-trusted party


Ensure the scope is clearly understood by
both parties
Understand what the auditors are capable of
testing
 Certified?


As the client negotiating, remain in control
Get bids- Gives a good comparison of prices



Understand your responsibility to the client
Your access/attempted access will be
privileged
Try to be as non-invasive as possible unless
given permission
 Sometimes a proof-of-concept is all that’s needed

The client expects a report. Ensure
deliverables are agreed on

Business is at stake, know when to begin
 Remember that this is an audit and that every
activity must be documented
 External activity is not exempt from
documentation.
 Keep a mindset as if you were collecting evidence
 Prepare your tools
▪ Run updates on your software
▪ Pack extra batteries

Planning is crucial for every step taken
 Plan to meet
 Plan for introductions
 Plan for the surprise attacks
 Plan for the unexpected

Plan to introduce presence to the
unsuspecting
▪ In cases of unannounced audits, special actions may
need to have preparations in case caught or blown cover

Port scanning from the internet is simple
 Need the public IP Address for the company
 Run a port scanner (NMAP) with options and
discover what port are open.

If a known port is found, scripts are good at
discovering the security state of that port.
 Scripts that are available online can be a huge
threat since anyone can use them.

Look at email traces.
 Provides IP Addresses to mail servers
 IP Addresses can lead to more destinations on the
internet for scanning and profiling

Down side
 IP Addresses can lead to web hosted email
services
 Sometimes the PTR’s can lead to a host with a
robust firewall as a dead end.



Web site can give good information when
looking for emails, executives, and technical
staff.
Excellent for social engineering attempts.
If there are interactive web pages, further
research can uncover exploitable items
(XSS,web injections, or simple valid queries)



Depends on the scope and plan
Performing undercover scans and testing is
best done before introducing to the
unsuspecting.
Good time to also social engineer, test
policies, and scan wireless
 Test policies for information control
 Use kismet or other wireless scanner

After presence is known, ensure the IT staff
knows what type of testing will be
performed, expectations of event logs, and
NOT to adjust security posture during the
audit.



Survey the network in any case whether you
know the network diagram or are blind
testing
Scans include all devices on the network,
their Operating System, open ports, and
services running
If feasible, look for open access ports to the
network in discreet areas.
 Ideal for placing your own wireless access points

Try the low hanging fruit
 Check network places and shared drives for
unrestricted access.
▪ Copy machines may have onboard hard drives with file
sharing
▪ Users may know enough to be dangerous sharing
folders





Network scanner
Identifies devices and Operating Systems
More quiet than pinging devices
Uses the REQ,ACK,SYN for communications
Returns open ports and has options for more
stealthy operations on a sensitive network

Nessus
 Free for personal use
 Linux can use apt-get
 Windows can download
 Requires registration before usage

openVAS
 Spin off of Nessus
 http://www.openvas.org/



Enumerates vulnerabilities per device
Web GUI provides easy usage and real-time
enumerations
Works with Metasploit to provide a scan and
attempt at known vulnerabilities
 Requires database for saving Nessus scans

Use the “Search” in Metasploit to find
modules relating to scans to begin probing



Offline password cracker
Used on SAM dumps, LANMAN, most types
of password hashes
Can also be used to generate mangled
wordlists for uses with other tools.
 Know the how to write rules in john.conf file
 Output file can be in a txt format
 Remember the john.pots file




Online password cracking
Great for dictionary attacks (wordlists)
Best if used on known open ports
Wordlists can be found online and mangled
with JTR for more complex P@55w0rds!
Read any precautionary comments before
starting. Some exploits could cause damage to
databases or resources costing your client
money
 Try not to use client’s network to do quick
research, it could contaminate results
 Advise IT staff of certain network loading tests
and log expectations
 Ask, when in doubt if a critical resource is
discovered vulnerable, about exploiting
 Proof-of-concept may be all that is needed


Metasploit is an open source platform
 supports vulnerability research
 exploit development
 creation of custom security tools



Included in BackTrack distributions
Recommend intense training to master
Metasploitable VM download




Known vulnerability occurs in victim
Related exploit is set in Metasploit
Options are configured for the victim
Payloads are viewed and selected
 Payloads are what the attacker wishes to happen


Exploit occurs causing the victim process to
crash
Payload is triggered

Metasploit offers much more than the scope
of this presentation
 Fuzzing protocols like IMAP and TFTP
▪ Writing fuzzers can become the first step to creating
new exploits
▪ Good for protocols on the network that have no known
module
 Password sniffing on the wire
 Creating backdoors to maintain access



Check for any open activities
Confer with IT staff that all network activity is
normal
Ensure all documentation is collected

Generate documentation of all work
performed
 Official audit report to the client
 Should incorporate summaries, details, and
exhibits
 Include screenshots and pictures taken
 Describe details of each action and what threat it
presents

In most cases, a brief presentation to client
and selected staff will be performed
 Include most significant threats discovered and
solutions
 Emphasize the impact of all negative findings to
the business
 Include positive notes where security was solid





Audit report is a confidential document to the
client
It is an official report that will be integrated
into reports of other audits for that client
Use encryption if delivering by email
Exercise infosec in all cases regardless of
method used for communications
Be thorough, use passive writing, use pictures





Instill confidence in your client and yourself
Know your capabilities and limits, personally
and legally
Perform a thorough audit documenting as
you go
Sharpen and research tools
Deliver solid feedback and suggestions
http://www.offensive-security.com/metasploitunleashed/Main_Page
 http://www.openwall.com/john/
 http://www.openwall.com/john/doc/RULES.sht
ml
 http://thc.org/thc-hydra/
 http://www.foofus.net/~jmk/medusa/medusa.ht
ml
 http://www.tenable.com/products/nessus
 http://nmap.org/
 http://www.backtrack-linux.org/
 https://www.owasp.org/index.php/Main_Page
