Penetration TestingPenetration Testing

October 20, 2005October 20, 2005

Eric VanderburgEric Vanderburg

A proactive approach to secure computing

About MeAbout Me

Professor of Computer NetworkingProfessor of Computer Networking Computer ConsultantComputer Consultant MCSE, MCSA, CCNA, CIW-A, MCSE, MCSA, CCNA, CIW-A,

Security+, Network+, iNet+, A+, & Security+, Network+, iNet+, A+, & Project Management (2000)Project Management (2000)

TopicsTopics

HacksHacks FixesFixes TechnologiesTechnologies CertificationCertification

HackersHackers

Hacker definedHacker defined TypesTypes

• Malicious Hacker/CrackerMalicious Hacker/Cracker• Script KiddieScript Kiddie• SpySpy• CyberterroristCyberterrorist• HacktivistHacktivist• Ethical/White Hat HackerEthical/White Hat Hacker

HackingHacking

Malicious codeMalicious code Denial of Service (DoS)Denial of Service (DoS) Password crackingPassword cracking Sniffing & Network MonitoringSniffing & Network Monitoring SpoofingSpoofing Session HijackingSession Hijacking Fingerprinting Fingerprinting Social Engineering Social Engineering

Malicious CodeMalicious Code

VirusesViruses WormsWorms TrojansTrojans

• Mail, IM, Web sites, P2PMail, IM, Web sites, P2P• Exe binders (Ex: Inspect)Exe binders (Ex: Inspect)

SpywareSpyware

Fighting Malicious CodedFighting Malicious Coded

Computer HygieneComputer Hygiene• AntivirusAntivirus• AntiSpywareAntiSpyware• Patching (MBSA)Patching (MBSA)

Trojans must start with the computerTrojans must start with the computer• Startup filesStartup files• [HKEY_LOCAL_MACHINE\Software\Microsoft\[HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Explorer\Shell Windows\CurrentVersion\Explorer\Shell Folders]”Common Startup”=Folders]”Common Startup”=

• Win.ini, System.iniWin.ini, System.ini

Denial of ServiceDenial of Service

MailbombingMailbombing SYN attackSYN attack Ping of Death Ping of Death Distributed Denial of Service (DDoS)Distributed Denial of Service (DDoS)

Password CrackingPassword Cracking

AttacksAttacks• DictionaryDictionary• Brute forceBrute force• Keyloggers (program/trojan)Keyloggers (program/trojan)

MS go to Littlesister.de or search for klgr.tgz for UnixMS go to Littlesister.de or search for klgr.tgz for Unix

• HTML snoopingHTML snooping DefenseDefense

• Strong passwordsStrong passwords• Change passwords regularlyChange passwords regularly• Use challenge/responseUse challenge/response• Encrypt password stores and communication mediumEncrypt password stores and communication medium• Do not hard code usernames and passwords in HTMLDo not hard code usernames and passwords in HTML• Store password backups in a safe, separate locationStore password backups in a safe, separate location

Password ProgramsPassword Programs

Zips: Advanced Zip Password Zips: Advanced Zip Password RecoveryRecovery

IM: Advanced IM Password RecoveryIM: Advanced IM Password Recovery Windows Login: L0phtcrackWindows Login: L0phtcrack Email: Advanced Mailbox…Email: Advanced Mailbox… MS Office: Office KeyMS Office: Office Key Web: WebBruteWeb: WebBrute

PasswordsPasswords

Secure: 8 character min combination, 2 Secure: 8 character min combination, 2 numbers interspersed among the numbers interspersed among the characters (ex: ca3nar8y or redc74at) characters (ex: ca3nar8y or redc74at)

Insecure passwordsInsecure passwords• Dictionary words (foreign language too) Dictionary words (foreign language too) • NamesNames• Words spelled backwardsWords spelled backwards• Personal information (license number), Personal information (license number), • Keyboard sequencesKeyboard sequences

L0phtCrack program used on NT password hashesL0phtCrack program used on NT password hashes

Port ScannersPort Scanners

Port scanning involves searching a Port scanning involves searching a range of IP addresses for open ports range of IP addresses for open ports that could potentially be exploited. that could potentially be exploited.

TCP and UDP have ports from 0-TCP and UDP have ports from 0-6553565535

Queries each port to see if it is Queries each port to see if it is active. active.

Shows a listing of all active nodes on from 131.123.11.1 to 131.123.11.254

CorrectionsCorrections

Close unnecessary portsClose unnecessary ports Run programs like NukeNabberRun programs like NukeNabber IDS can respond quicklyIDS can respond quickly Netstat -aNetstat -a

SniffersSniffers

Captures all data packets that travel Captures all data packets that travel on a network. on a network.

Designed for use in network Designed for use in network diagnosticsdiagnostics

Hard to trace because it is passiveHard to trace because it is passive Can be used to find passwords or Can be used to find passwords or

other sensitive informationother sensitive information

Collected packets from the sniffer. Notice the text at the bottom. Someone is getting directions.

Fighting SniffersFighting Sniffers

Use switched networksUse switched networks Monitor computers with NICs in Monitor computers with NICs in

promiscuous modepromiscuous mode Software restriction policiesSoftware restriction policies

SpoofingSpoofing Fake and email or IP addressFake and email or IP address Header is changedHeader is changed Used in many attacks & by spammersUsed in many attacks & by spammers

SpoofingSpoofingTelnet mailserver.com 25Telnet mailserver.com 25220 mailserver.com ESMTP Sendmail 8.12.11/8.12.11; Thu, 20 Oct, 2005 00:18:26 -220 mailserver.com ESMTP Sendmail 8.12.11/8.12.11; Thu, 20 Oct, 2005 00:18:26 -

07000700HelpHelp214-2.0.0 This is sendmail version 8.12.11214-2.0.0 This is sendmail version 8.12.11214-2.0.0 Topics:214-2.0.0 Topics:214-2.0.0 HELO EHLO…..214-2.0.0 HELO EHLO…..Helo microsoft.comHelo microsoft.com250 mailserver.com Hello iceberg.dc3.adelphia.net [68.49.110.42] pleased to meet 250 mailserver.com Hello iceberg.dc3.adelphia.net [68.49.110.42] pleased to meet

youyouMail from: billgates@microsoft.comMail from: billgates@microsoft.com250 2.1.0 billgates@microsoft.com… Sender ok250 2.1.0 billgates@microsoft.com… Sender okRcpt to: rhianon@ameritech.netRcpt to: rhianon@ameritech.net250 2.1.0 rhianon@ameritech.net … Recipient ok250 2.1.0 rhianon@ameritech.net … Recipient okDataData354 Enter mail, end with “.” on a line by itself354 Enter mail, end with “.” on a line by itselfSUBJECT: Urgent Press ReleaseSUBJECT: Urgent Press ReleaseHi, My name is Bill Gates and……Hi, My name is Bill Gates and……250 2.0.0 i9823749837j2384 Message accepted for delivery250 2.0.0 i9823749837j2384 Message accepted for delivery

SpoofingSpoofing

Proxies can make it harder to traceProxies can make it harder to trace

telnet wingate.com 23telnet wingate.com 23

telnet mailserver.com 25telnet mailserver.com 25

Plaintext is Free GamePlaintext is Free Game

Email is PlaintextEmail is Plaintext PGPPGP

• PGP FreewarePGP Freeware• PGPMailPGPMail• Must be used end to endMust be used end to end

IMIM

Client-Server or Direct Connection?Client-Server or Direct Connection? Used for information gathering Used for information gathering

&distribution of malicious code&distribution of malicious code Attack tools: MSN Sniffer, AIM Sniffer, Attack tools: MSN Sniffer, AIM Sniffer,

ICQ Sniffer, Advanced IM Password ICQ Sniffer, Advanced IM Password RecoveryRecovery

IMIM

Don’t accept from unknownsDon’t accept from unknowns Avoid direct connectionsAvoid direct connections Use proxy or NATUse proxy or NAT Hard to blockHard to block

• Changes portsChanges ports• Uses common portsUses common ports• Use protocol analyzing firewalls or Use protocol analyzing firewalls or

software restriction policiessoftware restriction policies

Access ListsAccess Lists

Traffic can be blocked at the routerTraffic can be blocked at the router Access-list 101 deny tcp 200.10.20.0 Access-list 101 deny tcp 200.10.20.0

0.0.0.255 any eq 250.0.0.255 any eq 25 Interface serial 0Interface serial 0

• Ip access-group 101 inIp access-group 101 in

FingerprintingFingerprinting Used to determine the client’s OSUsed to determine the client’s OS Works because of standardizationWorks because of standardization MethodsMethods

• Echo Request (Ping) packets. Echo Request (Ping) packets. • Timestamp Request packets. Timestamp Request packets. • Information Request packets. Information Request packets. • Subnet Mask Request packets. Subnet Mask Request packets.

Used to target attacks and find exploitsUsed to target attacks and find exploits Easy method for web servers:Easy method for web servers:

• telnet url.com 80telnet url.com 80• Get h HTTP/1.1Get h HTTP/1.1• HTTP/1.1 400 Bad RequestHTTP/1.1 400 Bad Request• Server Netscape-Enterprise/3.5.1Server Netscape-Enterprise/3.5.1

Connecting to Network DevicesConnecting to Network Devices SOHO RouterSOHO Router

• Download PDF from mfg siteDownload PDF from mfg site• WEP HacksWEP Hacks

Enterprise Router: CiscoEnterprise Router: Cisco• telnet 77.10.19.87telnet 77.10.19.87• RouterA>show running-configRouterA>show running-config• RouterA>enableRouterA>enable• Password: *******Password: *******• RouterA#RouterA#

• Show cdp neighborsShow cdp neighbors• Show ip routeShow ip route

Logging onLogging on

Copy to or from configCopy to or from config

Fingerprinting an HP JetDirect Printer

Not very exciting but we found an HP Jet Direct connection and connected to it through Telnet.

Buffer Overrun AttacksBuffer Overrun Attacks

Executing code in neighboring Executing code in neighboring memorymemory

Crashes programs (DoS)Crashes programs (DoS) Protect against this by:Protect against this by:

• Applying patchesApplying patches• Developing software with security in Developing software with security in

mindmind Test all input (GIGO)Test all input (GIGO) Verify dependencies for security measuresVerify dependencies for security measures

Buffer Overrun ExamplesBuffer Overrun Examples ApacheApache

• http://www.url.com/cgi-bin/phf?Qalias=x&0a/bin/cat&20/etc/http://www.url.com/cgi-bin/phf?Qalias=x&0a/bin/cat&20/etc/passwdpasswd

• Gain access to password fileGain access to password file MailMachine - Sign up for mailing listsMailMachine - Sign up for mailing lists

• http://www.url.com/cgi-bin/mailmachine.cgi?victim@hacked.comhttp://www.url.com/cgi-bin/mailmachine.cgi?victim@hacked.com SQLSQL

• Analyze HTML first to understand programAnalyze HTML first to understand programSELECT PEOPLE from databaseSELECT PEOPLE from databaseWHERE Username=‘<input username>’WHERE Username=‘<input username>’AND Password=‘<input password>’AND Password=‘<input password>’IF <above statement is true> Then authorizedIF <above statement is true> Then authorizedELSE not authorizedELSE not authorized

Username: abcd OR 1=1Username: abcd OR 1=1Password: blankPassword: blank

Getting Data OutGetting Data Out

Social EngineeringSocial Engineering Email - Hide dataEmail - Hide data

• Steganography - hide data in other filesSteganography - hide data in other files Pictures: S-ToolsPictures: S-Tools Music:MP3StegoMusic:MP3Stego HTML/PDF: wbStegoHTML/PDF: wbStego .exe or .dll files: S-Mail.exe or .dll files: S-Mail

• Protection: Protection: block contentblock content Hash suspicious contentHash suspicious content

Social EngineeringSocial Engineering

A simple phone callA simple phone call HoaxesHoaxes Fake web sitesFake web sites

Network access methodsNetwork access methods

Least security exists inside the Least security exists inside the networknetwork

Existing wiring and tappingExisting wiring and tapping Wireless Ethernet is an easy targetWireless Ethernet is an easy target

Free bandwidth is in the airFree bandwidth is in the air

Businesses and home users Businesses and home users frequently have insecure wireless frequently have insecure wireless devices set up. devices set up.

Exploiting these devices is easy. Exploiting these devices is easy. Warchalking marks targetsWarchalking marks targets

Insecure WirelessInsecure Wireless

WEP (Wired Equivalency Protocol) WEP (Wired Equivalency Protocol) Stops the average userStops the average userWill not keep out those who really Will not keep out those who really want inwant in

Default names usually mean default Default names usually mean default settings. (ex: linksys and admin)settings. (ex: linksys and admin)• SSID broadcasts can be disabledSSID broadcasts can be disabled

Wireless hotspots for the Cleveland area. Courtesy of http://www.worldwidewardrive.org/wwwd1/north_america.html

Security TechnologiesSecurity Technologies

EncryptionEncryption VPN'sVPN's SSL\TLSSSL\TLS CertificatesCertificates Caution: Plain textCaution: Plain text

• email (POP3, SMTP)email (POP3, SMTP)• FTPFTP

FirewallsFirewalls

CertificationCertification

CEH (Certified Ethical Hacker)CEH (Certified Ethical Hacker) CISSP (Certified Information Systems CISSP (Certified Information Systems

Security Professional)Security Professional) Security+Security+ NSA INFOSECNSA INFOSEC Vendor certificationsVendor certifications

• CCSPCCSP• MCSE:SecurityMCSE:Security

Technology specific certificationsTechnology specific certifications• CWSPCWSP

You can contact me at: You can contact me at: evanderburg@gmail.comevanderburg@gmail.com

Eric.Vanderburg@RemingtonCollege.eduEric.Vanderburg@RemingtonCollege.edu

with any comments or questions.with any comments or questions.

Also check out the following sites:Also check out the following sites:CIO.comCIO.com

csrc.nist.govcsrc.nist.govwww.sans.org/top20www.sans.org/top20

www.cert.org/advisorieswww.cert.org/advisories