Transcript Slide 1

Mr. Mark Welton





Definition, Concepts on Penetration Testing/Hacking
What is the difference between Penetration Testing and
Vulnerability Assessment
What is the difference between Penetration Testing and
Hacking
Anatomy of a Hack
How does Pentration Testing differ from the Anatomy of a
Hack







Vulnerability (Security Flaw): specific failure of the system to guard
against unauthorized access or actions. It can be procedures,
technology (SW or HW), or management.
Using the failure of the system to violate the site security policy is
called exploiting the vulnerability
Penetration Testing is a method of evaluating the security of a
computer system or network by simulating an attack from a
malicious source, known as a Black Hat Hacker, or Cracker. –
Wikipedia
Penetration Testing is a testing technique for discovering,
understanding, and documenting the security holes that can be
found in a system.
It is not a proof techniques. It can never prove the absence of
security flaws. It can only prove their presence.
Example goals of penetration studies are gaining of read or write
access to specific objects, files, or accounts; gaining of specific
privileges; and disruption or denial of the availability of objects.
What is the difference between penetration testing and
hacking/intrusion?

Vulnerability Assessment:
◦
◦
◦
◦
◦

Typically is general in scope and includes a large assessment.
Predictable. ( I know when those darn Security guys scan us.)
Unreliable at times and high rate of false positives. (I’ve got a banner)
Vulnerability assessment invites debate among System Admins.
Produces a report with mitigation guidelines and action items.
Penetration Testing:
◦ Focused in scope and may include targeted attempts to exploit specific
vectors (Both IT and Physical)
◦ Unpredictable by the recipient. (Don’t know the “how?” and “when?”)
◦ Highly accurate and reliable. (I’ve got root!)
◦ Penetration Testing = Proof of Concept against vulnerabilities.
◦ Produces a binary result: Either the team owned you, or they didn't.








Pen Tester’s have prior approval from Senior Management
Hackers have prior approval from themselves.
Pen Tester’s social engineering attacks are there to raise awareness
Hackers social engineering attacks are there to trick the DMV into
divulging sensitive information about the whereabouts of their estranged
ex-spouse.
Pen Tester’s war driving = geeks driving cars with really long antennas,
license plate reading “r00t3d” while dying their hair green looking to
discover the hidden, unapproved networks your users thought it would
be OK to install for you.
Hackers wireless war driving doesn’t happen so often because 14 year
olds typically don’t have their license yet.
Pen-testers have pink mohawks and wear trenchcoats in July.
Hackers have pink mohawks and wear trenchcoats.... that they bought
with your bank account info.
Hacking
Methodology
(Steps)
Footprinting
Scanning
whois, nslookup
Nmap, fping
Enumeration
dumpACL, showmount
legion, rpcinfo, Nessus
Gaining Access
Tcpdump, Lophtcrack
NAT, Metasploit
Escalating Privilege
Johntheripper, getadmin
Pilferting
Rhosts, userdata
Config files, registry
Covering Tracks
zap, rootkits
Creating Back Doors
Cron,at, startup folder
netcat, keystroke logger
remote desktop
Denial of Service
Synk4, ping of death
tfn/stacheldraht







Information gathering. Sam Spade is window-based network query
tool.
Find out target IP address/phone number range
◦ Why check phone numbers?
Namespace acquisition. Network Topology (visualRoute).
It is essential to a “surgical” attack.
The key here is not to miss any details.
Note that for penetration tester, this step is to avoiding testing
others instead of your client and to include all systems to be tested
(sometime the organization will not tell you what their systems
consist of).
Defense: deploy NIDS (snort), RotoRouter





Bulk Target assessment
Which machine is up and what ports (services) are open
Focus on most promising avenues of entry.
To avoid being detect, these tools can reduce frequency
of packet sending and randomize the ports or IP
addresses to be scanned in the sequence.
Note that some machine does not respond to ping but
responds to requests to ports that actually open. Ardor
is an example.


Identify valid user accounts or poorly
protected resource shares.
Most intrusive probing than scanning step.

Based on the information gathered so far,
make an informed attempted to access the
target.

If only user-level access was obtained in the
last step, seek to gain complete control of
the system.


Webster's Revised Unabridged Dictionary (1913)
◦ Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.]
[OF. pelfrer. See Pelf.]
To steal in small quantities, or articles of small value; to practice
petty theft.
Gather info on identify mechanisms to allow access of trusted
systems.

Once total ownership of the target is
secured, hiding this fact from system
administrators become paramount, before
they react

Trap doors will be laid in various parts of
the system to ensure that privilege access is
easily regained whenever the intruder
decides.

If atacker is unsuccessful in gaining access,
they may use readily available exploit code
to disable a target as a last resort.
Hacking Methodology
Footprinting
Scanning
Enumeration
Gaining Access
Escalating
Privilege
Pilferting
Covering Tracks
Creating Back Doors
Denial of Service
Penetration Testing
Methodology
Footprinting
Scanning
Enumeration
Gaining Access
Escalating
Privilege
Pilferting


The good guys usually get some small piece of
proof and exit as quietly as they came
You have authority to do it



First, can you do what you want to do where you
want to do it?
◦ Is a war-dial legal against your own systems
when going through a central office?
Make sure you are protected with a “Letter of
Authority”.
◦ Protect yourself with a “Get out of jail” type letter
Encrypt your data. You don’t want to be
liable if your data is compromised

Watch, and throttle if necessary, your generated
network traffic…Think stealth and covert.

Think through your actions before doing them.

Run these tools at your own risk. You are
responsible for what you do.
◦ Test them on a stand-alone network with a
network sniffer and review the source code
◦ Obtain tools from the source
◦ Verify checksums from multiple sources when
applicable




Be as aggressive as you can and work to be
creative. Now is when you can use the “thinking
out of the box” classes that we’ve taken.
Don’t get tunnel vision
Are you going to do physical penetrations?
◦ Actually trying to break-in, vs
◦ Wandering where you shouldn’t
What about “social engineering”?

Application Service Providers (how can you
use them?)

Externally hosted resources

Non-company equipment

All need to be addressed with each
customer and agree upon.

Identify activities, persons, processes, and events
that could affect the penetration test:
◦
◦
◦
◦
◦
◦

Network quiet time
Major upgrades
Layoffs
Strikes
Administrator’s day off
Late at night when the NID monitoring staff is
sleeping
Your advantage?


Before proceeding, decide what perspective your
team will take during the exercise.
What will the initial level of access and the amount
of information be?
◦ Outsider with no previous knowledge
◦ Outsider with insider knowledge (with an inside
partner or former insider)
◦ Low level insider (end-user)
◦ High level insider (system or network
administrator)





A signed letter from the “appropriate person”. This
could be an officer, the CIO, owner, etc.
Includes:
◦ Who will perform the test
◦ When the test will be performed
◦ Why the test is being performed
◦ What types of activities will take place.
◦ Includes targeted systems or locations
◦ Customer contacts for verification
◦ May include reasons to prematurely conclude the
test
Request cooperation to minimize notification of
your activities
Is legal review of the letter important?
May address liability issues

Why would you end your test before the allotted
time-frame?
◦ Busted! The customer has detected your
activities and sounded the alarm
◦ You’ve caused a negative impact such as a
network or system outage
◦ You are not the person to successfully gain
access
◦ You uncover such a significant vulnerability that
you need to alert the system or network
administrators
◦ You were slightly off on your IP addresses
◦ You’ve achieved your goal

Remember, in general, success from your
perspective does not equal success from your
customer’s perspective.
◦ Somebody generally goes home
unhappy.
◦ Watch morale issues on your team.


Depending on your target, can you obtain a “clone” of the
target?
It is often a lot easier to experiment, play, and sometimes
destroy a controlled system
◦ For example, based on your finger printing results, you’ll
have a pretty good idea of the current configuration.
 Configure another machine as a clone
 Borrow or buy a clone system



You must have a log-book of every activity that
everybody does
◦ Electronic or manual, just include the basics of
who, what, when, and how.
Linux “script <filename>” command is a great tool
to save your logs for each terminal session.
Control-D exits and I use a convenient (but long)
filename such as exchpt.gm.2003mar04.
Plan your efforts and communicate continuously
with team members.



Everything that goes wrong on the target
host, network, or on the Internet from two
weeks before you plug in to two weeks after
you submit the report will be your fault.
Document everything!
Can you script operations to increase
efficiency and reduce errors?