using students to pen test your network students to pen test your network ... •the contemporaneous...
TRANSCRIPT
Using Students to Pen Test Your Network
(For Credit)Robert MaxwellMichael Hicks
No, seriously.
This presentation leaves copyright of the content to the presenter. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution-NonCommercial-ShareAlikelicense, which grants usage to the general public with the stipulated criteria.
Mike Hicks
• Director of the Maryland Cybersecurity Center
• Associate Professor of CS at UMCP
• Lots more: http://www.cs.umd.edu/~mwh/
Rob MaxwellManager, Security Operations,
UMCPFaculty of MC^2.
How did the IT guys get involved in teaching?
• Long term cooperation with some researchers for access to data (my boss gets most of the credit here, but he’d like us to forget about that)
• This leads to our involvement with the Maryland Cybersecurity Center (MC^2)
• then one day...
Seriously, how did this happen?
• University signs a contract with a job site where students will post resumes, obliges departments to use it.
• CS professors are made aware of serious security holes in the site.
• To make it much worse, vendor is very unresponsive to their concerns.
by an applicant for the directorship of the center
The Brainstorm
• Let’s have a class of students pen test the campus network to make it more secure.
Secure Maryland
• Undergraduate Penetration Testing class
• Students do work on our live network
• Really.
What could go wrong?
• Lots
A Digression
• The contemporaneous state of pen testing on campus:
• nil
• At this point, we were not providing this service on a regular basis. We have since improved our capabilities in this area.
Convincing Lawyers • They eventually
approved our plan:
• We argued that students wouldn’t be doing anything that anyone couldn’t do from Starbuck’s
• They deferred to our judgement
• They suggested we forego any sort of NDA
Given the state of our network defenses, this was largely true, at the time.
Goals of the class
• Teach qualified undergraduates the art of penetration testing.
• Teach the foundations of ethical hacking.
• Improve the security posture of the university.
Teaching Undergrads Art
• Penetration testing training, methodologies
• Using real world systems guarantees real world results
• Requires creativity and ingenuity - no assured “right answers”
Ethical Considerations
• Ethical implications of this work covered thoroughly
• Business contracts involved in this work discussed
• Engagement rules and scoping covered
• Honor Code invoked
Improving Our Security
• Large decentralized network (50,000+ nodes), 2x /16 networks and then some
• Students are finding problems and notifying the responsible parties to help them remedy vulnerabilities
• Things can get forgotten or abandoned on a network this big.
• Students could damage systems or down services
• Students could access or exfiltrate sensitive information or intelligence about our networks
Mitigation
• Students performed these tests from standard network access (no special connections - the Starbuck’s argument)
• Network traffic was recorded for later examination
Tried having dedicated network access points. Students didn’t want to use them in a lab setting. Dedicated VPN access for testing is an option that continues to be evaluated.
Also, traffic recorded as “insurance.”
Scope of Work
• Students were warned away from specific sensitive systems
• Engagement level is gradually increased through semester
• Finally, actual exploitation of systems must be approved by the instructor
Course Design
• Initial instruction in techniques and tools, ethics, and business processes
• As techniques are taught, students begin to use them to explore the network.
• As vulnerabilities are found, students notify system admins (and SOC) to remedy and must follow up to assist and report
Cooperative Course
• Wiki used to share course information
• Targeting information, interesting results
• Useful tools and techniques shared via wiki and in class
• Students provided information from security office to facilitate contacts
Tried using some scan-sharing software, but it broke under load
Students
Final Project - Departmental Engagement• Final third of semester, student teams are
put in touch with departments to create a professional pen testing engagement.
• Full documentation of every step from laying out scope of work right through final recommendations.
• All techniques were on the table for negotiation
Techniques including social engineering and physical testing (taser rule)
Technology
• BackTrack/Kali linux distro
• Google, Shodan
• Nmap, Nessus/OpenVAS, Metasploit
• Additional tools encouraged
Started w/ backtrack, some have moved on to Kali
tried using centrally-hosted VMs, had poor luck with them.
Dirbuster, ZAP,
Student Work Product
• Notifications to admins (which become SOC tickets at the end of the class)
• Paper describing in detail their work on the greater network
• The report resulting from the departmental engagement
Class paper
• Descriptions of activities, evolution of strategy, successes and failures
• Lessons learned
• Appendix containing all retained information (screen captures, pcaps, output files, etc.)
Results?
• Printers
• Webcams
• Web vulnerabilities
• Printers (hundreds)
• Abandoned stuff
Printers - doc servers, no password, telnet/web interfaceconfigurable webcams
SCADA
• HVAC control systems
• Lighting control systems
• Serial interfaces for card readers
Byrd Stadium Scoreboard
Chapel Carillon System
Results
• Still completing final tally for this semester.
• Quick count has us down from over 300 to just over 100 vulnerable printers.
• Bulk of what was found in the second iteration is new
• We can prioritize the repeat offenders
Robert Maxwell [email protected]