Using Students to Pen Test Your Network

(For Credit)Robert MaxwellMichael Hicks

No, seriously.

This presentation leaves copyright of the content to the presenter. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution-NonCommercial-ShareAlikelicense, which grants usage to the general public with the stipulated criteria.

Mike Hicks

• Director of the Maryland Cybersecurity Center

• Associate Professor of CS at UMCP

• Lots more: http://www.cs.umd.edu/~mwh/

Rob MaxwellManager, Security Operations,

UMCPFaculty of MC^2.

How did the IT guys get involved in teaching?

• Long term cooperation with some researchers for access to data (my boss gets most of the credit here, but he’d like us to forget about that)

• This leads to our involvement with the Maryland Cybersecurity Center (MC^2)

• then one day...

Seriously, how did this happen?

• University signs a contract with a job site where students will post resumes, obliges departments to use it.

• CS professors are made aware of serious security holes in the site.

• To make it much worse, vendor is very unresponsive to their concerns.

by an applicant for the directorship of the center

The Brainstorm

• Let’s have a class of students pen test the campus network to make it more secure.

Secure Maryland

• Undergraduate Penetration Testing class

• Students do work on our live network

• Really.

What could go wrong?

• Lots

A Digression

• The contemporaneous state of pen testing on campus:

• nil

• At this point, we were not providing this service on a regular basis. We have since improved our capabilities in this area.

Convincing Lawyers • They eventually

approved our plan:

• We argued that students wouldn’t be doing anything that anyone couldn’t do from Starbuck’s

• They deferred to our judgement

• They suggested we forego any sort of NDA

Given the state of our network defenses, this was largely true, at the time.

Goals of the class

• Teach qualified undergraduates the art of penetration testing.

• Teach the foundations of ethical hacking.

• Improve the security posture of the university.

Teaching Undergrads Art

• Penetration testing training, methodologies

• Using real world systems guarantees real world results

• Requires creativity and ingenuity - no assured “right answers”

Ethical Considerations

• Ethical implications of this work covered thoroughly

• Business contracts involved in this work discussed

• Engagement rules and scoping covered

• Honor Code invoked

Improving Our Security

• Large decentralized network (50,000+ nodes), 2x /16 networks and then some

• Students are finding problems and notifying the responsible parties to help them remedy vulnerabilities

• Things can get forgotten or abandoned on a network this big.

• Students could damage systems or down services

• Students could access or exfiltrate sensitive information or intelligence about our networks

Mitigation

• Students performed these tests from standard network access (no special connections - the Starbuck’s argument)

• Network traffic was recorded for later examination

Tried having dedicated network access points. Students didn’t want to use them in a lab setting. Dedicated VPN access for testing is an option that continues to be evaluated.

Also, traffic recorded as “insurance.”

Scope of Work

• Students were warned away from specific sensitive systems

• Engagement level is gradually increased through semester

• Finally, actual exploitation of systems must be approved by the instructor

Course Design

• Initial instruction in techniques and tools, ethics, and business processes

• As techniques are taught, students begin to use them to explore the network.

• As vulnerabilities are found, students notify system admins (and SOC) to remedy and must follow up to assist and report

Cooperative Course

• Wiki used to share course information

• Targeting information, interesting results

• Useful tools and techniques shared via wiki and in class

• Students provided information from security office to facilitate contacts

Tried using some scan-sharing software, but it broke under load

Students

Final Project - Departmental Engagement• Final third of semester, student teams are

put in touch with departments to create a professional pen testing engagement.

• Full documentation of every step from laying out scope of work right through final recommendations.

• All techniques were on the table for negotiation

Techniques including social engineering and physical testing (taser rule)

Technology

• BackTrack/Kali linux distro

• Google, Shodan

• Nmap, Nessus/OpenVAS, Metasploit

• Additional tools encouraged

Started w/ backtrack, some have moved on to Kali

tried using centrally-hosted VMs, had poor luck with them.

Dirbuster, ZAP,

Student Work Product

• Notifications to admins (which become SOC tickets at the end of the class)

• Paper describing in detail their work on the greater network

• The report resulting from the departmental engagement

Class paper

• Descriptions of activities, evolution of strategy, successes and failures

• Lessons learned

• Appendix containing all retained information (screen captures, pcaps, output files, etc.)

Results?

• Printers

• Webcams

• Web vulnerabilities

• Printers (hundreds)

• Abandoned stuff

Printers - doc servers, no password, telnet/web interfaceconfigurable webcams

SCADA

• HVAC control systems

• Lighting control systems

• Serial interfaces for card readers

Byrd Stadium Scoreboard

Chapel Carillon System

Results

• Still completing final tally for this semester.

• Quick count has us down from over 300 to just over 100 vulnerable printers.

• Bulk of what was found in the second iteration is new

• We can prioritize the repeat offenders

Robert Maxwell rmaxwell@umd.edu