penetration testing: a proactive approach to secure computing - eric vanderburg - kent state...
DESCRIPTION
Penetration testing: A proactive approach to secure computing - Eric Vanderburg - Kent State UniversityTRANSCRIPT
Penetration TestingPenetration Testing
October 20, 2005October 20, 2005
Eric VanderburgEric Vanderburg
A proactive approach to secure computing
About MeAbout Me
Professor of Computer NetworkingProfessor of Computer Networking Computer ConsultantComputer Consultant MCSE, MCSA, CCNA, CIW-A, MCSE, MCSA, CCNA, CIW-A,
Security+, Network+, iNet+, A+, & Security+, Network+, iNet+, A+, & Project Management (2000)Project Management (2000)
TopicsTopics
HacksHacks FixesFixes TechnologiesTechnologies CertificationCertification
HackersHackers
Hacker definedHacker defined TypesTypes
• Malicious Hacker/CrackerMalicious Hacker/Cracker• Script KiddieScript Kiddie• SpySpy• CyberterroristCyberterrorist• HacktivistHacktivist• Ethical/White Hat HackerEthical/White Hat Hacker
HackingHacking
Malicious codeMalicious code Denial of Service (DoS)Denial of Service (DoS) Password crackingPassword cracking Sniffing & Network MonitoringSniffing & Network Monitoring SpoofingSpoofing Session HijackingSession Hijacking Fingerprinting Fingerprinting Social Engineering Social Engineering
Malicious CodeMalicious Code
VirusesViruses WormsWorms TrojansTrojans
• Mail, IM, Web sites, P2PMail, IM, Web sites, P2P• Exe binders (Ex: Inspect)Exe binders (Ex: Inspect)
SpywareSpyware
Fighting Malicious CodedFighting Malicious Coded
Computer HygieneComputer Hygiene• AntivirusAntivirus• AntiSpywareAntiSpyware• Patching (MBSA)Patching (MBSA)
Trojans must start with the computerTrojans must start with the computer• Startup filesStartup files• [HKEY_LOCAL_MACHINE\Software\Microsoft\[HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Explorer\Shell Windows\CurrentVersion\Explorer\Shell Folders]”Common Startup”=Folders]”Common Startup”=
• Win.ini, System.iniWin.ini, System.ini
Denial of ServiceDenial of Service
MailbombingMailbombing SYN attackSYN attack Ping of Death Ping of Death Distributed Denial of Service (DDoS)Distributed Denial of Service (DDoS)
Password CrackingPassword Cracking
AttacksAttacks• DictionaryDictionary• Brute forceBrute force• Keyloggers (program/trojan)Keyloggers (program/trojan)
MS go to Littlesister.de or search for klgr.tgz for UnixMS go to Littlesister.de or search for klgr.tgz for Unix
• HTML snoopingHTML snooping DefenseDefense
• Strong passwordsStrong passwords• Change passwords regularlyChange passwords regularly• Use challenge/responseUse challenge/response• Encrypt password stores and communication mediumEncrypt password stores and communication medium• Do not hard code usernames and passwords in HTMLDo not hard code usernames and passwords in HTML• Store password backups in a safe, separate locationStore password backups in a safe, separate location
Password ProgramsPassword Programs
Zips: Advanced Zip Password Zips: Advanced Zip Password RecoveryRecovery
IM: Advanced IM Password RecoveryIM: Advanced IM Password Recovery Windows Login: L0phtcrackWindows Login: L0phtcrack Email: Advanced Mailbox…Email: Advanced Mailbox… MS Office: Office KeyMS Office: Office Key Web: WebBruteWeb: WebBrute
PasswordsPasswords
Secure: 8 character min combination, 2 Secure: 8 character min combination, 2 numbers interspersed among the numbers interspersed among the characters (ex: ca3nar8y or redc74at) characters (ex: ca3nar8y or redc74at)
Insecure passwordsInsecure passwords• Dictionary words (foreign language too) Dictionary words (foreign language too) • NamesNames• Words spelled backwardsWords spelled backwards• Personal information (license number), Personal information (license number), • Keyboard sequencesKeyboard sequences
L0phtCrack program used on NT password hashesL0phtCrack program used on NT password hashes
Port ScannersPort Scanners
Port scanning involves searching a Port scanning involves searching a range of IP addresses for open ports range of IP addresses for open ports that could potentially be exploited. that could potentially be exploited.
TCP and UDP have ports from 0-TCP and UDP have ports from 0-6553565535
Queries each port to see if it is Queries each port to see if it is active. active.
Shows a listing of all active nodes on from 131.123.11.1 to 131.123.11.254
CorrectionsCorrections
Close unnecessary portsClose unnecessary ports Run programs like NukeNabberRun programs like NukeNabber IDS can respond quicklyIDS can respond quickly Netstat -aNetstat -a
SniffersSniffers
Captures all data packets that travel Captures all data packets that travel on a network. on a network.
Designed for use in network Designed for use in network diagnosticsdiagnostics
Hard to trace because it is passiveHard to trace because it is passive Can be used to find passwords or Can be used to find passwords or
other sensitive informationother sensitive information
Collected packets from the sniffer. Notice the text at the bottom. Someone is getting directions.
Fighting SniffersFighting Sniffers
Use switched networksUse switched networks Monitor computers with NICs in Monitor computers with NICs in
promiscuous modepromiscuous mode Software restriction policiesSoftware restriction policies
SpoofingSpoofing Fake and email or IP addressFake and email or IP address Header is changedHeader is changed Used in many attacks & by spammersUsed in many attacks & by spammers
SpoofingSpoofingTelnet mailserver.com 25Telnet mailserver.com 25220 mailserver.com ESMTP Sendmail 8.12.11/8.12.11; Thu, 20 Oct, 2005 00:18:26 -220 mailserver.com ESMTP Sendmail 8.12.11/8.12.11; Thu, 20 Oct, 2005 00:18:26 -
07000700HelpHelp214-2.0.0 This is sendmail version 8.12.11214-2.0.0 This is sendmail version 8.12.11214-2.0.0 Topics:214-2.0.0 Topics:214-2.0.0 HELO EHLO…..214-2.0.0 HELO EHLO…..Helo microsoft.comHelo microsoft.com250 mailserver.com Hello iceberg.dc3.adelphia.net [68.49.110.42] pleased to meet 250 mailserver.com Hello iceberg.dc3.adelphia.net [68.49.110.42] pleased to meet
youyouMail from: [email protected] from: [email protected] 2.1.0 [email protected]… Sender ok250 2.1.0 [email protected]… Sender okRcpt to: [email protected] to: [email protected] 2.1.0 [email protected] … Recipient ok250 2.1.0 [email protected] … Recipient okDataData354 Enter mail, end with “.” on a line by itself354 Enter mail, end with “.” on a line by itselfSUBJECT: Urgent Press ReleaseSUBJECT: Urgent Press ReleaseHi, My name is Bill Gates and……Hi, My name is Bill Gates and……250 2.0.0 i9823749837j2384 Message accepted for delivery250 2.0.0 i9823749837j2384 Message accepted for delivery
SpoofingSpoofing
Proxies can make it harder to traceProxies can make it harder to trace
telnet wingate.com 23telnet wingate.com 23
telnet mailserver.com 25telnet mailserver.com 25
Plaintext is Free GamePlaintext is Free Game
Email is PlaintextEmail is Plaintext PGPPGP
• PGP FreewarePGP Freeware• PGPMailPGPMail• Must be used end to endMust be used end to end
IMIM
Client-Server or Direct Connection?Client-Server or Direct Connection? Used for information gathering Used for information gathering
&distribution of malicious code&distribution of malicious code Attack tools: MSN Sniffer, AIM Sniffer, Attack tools: MSN Sniffer, AIM Sniffer,
ICQ Sniffer, Advanced IM Password ICQ Sniffer, Advanced IM Password RecoveryRecovery
IMIM
Don’t accept from unknownsDon’t accept from unknowns Avoid direct connectionsAvoid direct connections Use proxy or NATUse proxy or NAT Hard to blockHard to block
• Changes portsChanges ports• Uses common portsUses common ports• Use protocol analyzing firewalls or Use protocol analyzing firewalls or
software restriction policiessoftware restriction policies
Access ListsAccess Lists
Traffic can be blocked at the routerTraffic can be blocked at the router Access-list 101 deny tcp 200.10.20.0 Access-list 101 deny tcp 200.10.20.0
0.0.0.255 any eq 250.0.0.255 any eq 25 Interface serial 0Interface serial 0
• Ip access-group 101 inIp access-group 101 in
FingerprintingFingerprinting Used to determine the client’s OSUsed to determine the client’s OS Works because of standardizationWorks because of standardization MethodsMethods
• Echo Request (Ping) packets. Echo Request (Ping) packets. • Timestamp Request packets. Timestamp Request packets. • Information Request packets. Information Request packets. • Subnet Mask Request packets. Subnet Mask Request packets.
Used to target attacks and find exploitsUsed to target attacks and find exploits Easy method for web servers:Easy method for web servers:
• telnet url.com 80telnet url.com 80• Get h HTTP/1.1Get h HTTP/1.1• HTTP/1.1 400 Bad RequestHTTP/1.1 400 Bad Request• Server Netscape-Enterprise/3.5.1Server Netscape-Enterprise/3.5.1
Connecting to Network DevicesConnecting to Network Devices SOHO RouterSOHO Router
• Download PDF from mfg siteDownload PDF from mfg site• WEP HacksWEP Hacks
Enterprise Router: CiscoEnterprise Router: Cisco• telnet 77.10.19.87telnet 77.10.19.87• RouterA>show running-configRouterA>show running-config• RouterA>enableRouterA>enable• Password: *******Password: *******• RouterA#RouterA#
• Show cdp neighborsShow cdp neighbors• Show ip routeShow ip route
Logging onLogging on
Copy to or from configCopy to or from config
Fingerprinting an HP JetDirect Printer
Not very exciting but we found an HP Jet Direct connection and connected to it through Telnet.
Buffer Overrun AttacksBuffer Overrun Attacks
Executing code in neighboring Executing code in neighboring memorymemory
Crashes programs (DoS)Crashes programs (DoS) Protect against this by:Protect against this by:
• Applying patchesApplying patches• Developing software with security in Developing software with security in
mindmind Test all input (GIGO)Test all input (GIGO) Verify dependencies for security measuresVerify dependencies for security measures
Buffer Overrun ExamplesBuffer Overrun Examples ApacheApache
• http://www.url.com/cgi-bin/phf?Qalias=x&0a/bin/cat&20/etc/http://www.url.com/cgi-bin/phf?Qalias=x&0a/bin/cat&20/etc/passwdpasswd
• Gain access to password fileGain access to password file MailMachine - Sign up for mailing listsMailMachine - Sign up for mailing lists
• http://www.url.com/cgi-bin/[email protected]://www.url.com/cgi-bin/[email protected] SQLSQL
• Analyze HTML first to understand programAnalyze HTML first to understand programSELECT PEOPLE from databaseSELECT PEOPLE from databaseWHERE Username=‘<input username>’WHERE Username=‘<input username>’AND Password=‘<input password>’AND Password=‘<input password>’IF <above statement is true> Then authorizedIF <above statement is true> Then authorizedELSE not authorizedELSE not authorized
Username: abcd OR 1=1Username: abcd OR 1=1Password: blankPassword: blank
Getting Data OutGetting Data Out
Social EngineeringSocial Engineering Email - Hide dataEmail - Hide data
• Steganography - hide data in other filesSteganography - hide data in other files Pictures: S-ToolsPictures: S-Tools Music:MP3StegoMusic:MP3Stego HTML/PDF: wbStegoHTML/PDF: wbStego .exe or .dll files: S-Mail.exe or .dll files: S-Mail
• Protection: Protection: block contentblock content Hash suspicious contentHash suspicious content
Social EngineeringSocial Engineering
A simple phone callA simple phone call HoaxesHoaxes Fake web sitesFake web sites
Network access methodsNetwork access methods
Least security exists inside the Least security exists inside the networknetwork
Existing wiring and tappingExisting wiring and tapping Wireless Ethernet is an easy targetWireless Ethernet is an easy target
Free bandwidth is in the airFree bandwidth is in the air
Businesses and home users Businesses and home users frequently have insecure wireless frequently have insecure wireless devices set up. devices set up.
Exploiting these devices is easy. Exploiting these devices is easy. Warchalking marks targetsWarchalking marks targets
Insecure WirelessInsecure Wireless
WEP (Wired Equivalency Protocol) WEP (Wired Equivalency Protocol) Stops the average userStops the average userWill not keep out those who really Will not keep out those who really want inwant in
Default names usually mean default Default names usually mean default settings. (ex: linksys and admin)settings. (ex: linksys and admin)• SSID broadcasts can be disabledSSID broadcasts can be disabled
Wireless hotspots for the Cleveland area. Courtesy of http://www.worldwidewardrive.org/wwwd1/north_america.html
Security TechnologiesSecurity Technologies
EncryptionEncryption VPN'sVPN's SSL\TLSSSL\TLS CertificatesCertificates Caution: Plain textCaution: Plain text
• email (POP3, SMTP)email (POP3, SMTP)• FTPFTP
FirewallsFirewalls
CertificationCertification
CEH (Certified Ethical Hacker)CEH (Certified Ethical Hacker) CISSP (Certified Information Systems CISSP (Certified Information Systems
Security Professional)Security Professional) Security+Security+ NSA INFOSECNSA INFOSEC Vendor certificationsVendor certifications
• CCSPCCSP• MCSE:SecurityMCSE:Security
Technology specific certificationsTechnology specific certifications• CWSPCWSP
You can contact me at: You can contact me at: [email protected]@gmail.com
[email protected]@RemingtonCollege.edu
with any comments or questions.with any comments or questions.
Also check out the following sites:Also check out the following sites:CIO.comCIO.com
csrc.nist.govcsrc.nist.govwww.sans.org/top20www.sans.org/top20
www.cert.org/advisorieswww.cert.org/advisories