SlideShare a Scribd company logo

Pentesting hygt frde education of engi.ppt

Download as PPT, PDF
A
asranausheenasra

This document serves as a comprehensive guide for conducting penetration tests, outlining the definition, legal considerations, objectives, and a detailed methodology. It covers essential steps such as reconnaissance, exploitation, privilege escalation, and cleaning up post-test, along with the importance of authorization and cooperation from clients. The text emphasizes the necessity of careful planning, communication, and ethical considerations throughout the testing process.

Education
1 of 37
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
The Art of Penetration Testing Breaking in before the bad guys! Author unknown
Goals (Why am I here?)  Define the penetration test, also called a pen test and “ethical hacking”  Talk about legal issues  Set some boundaries…goals  Talk about when things go bad  Walk through the major pen test steps  Introduction to some tools
What is it?  Penetration Test:  Identifying vulnerabilities of a particular system, application, network, or process  Exploiting those vulnerabilities to demonstrate that the security mechanisms can and will fail  The good guys usually get some small piece of proof and exit as quietly as they came
Legal Issues Before You Start  First, can you do what you want to do where you want to do it?  Is a war-dial legal against your own systems when going through a central office?  Make sure you are protected with a “Letter of Authority”.  Protect yourself with a “Get out of jail” type letter. More to come.  Encrypt your data. You don’t want to be liable if your data is compromised.
More Lawyer Speak  Watch, and throttle if necessary, your generated network traffic…Think stealth and covert.  Think through your actions before doing them.  Run these tools at your own risk. I am not responsible  Test them on a stand-alone network with a network sniffer and review the source code  Obtain tools from the source  Verify checksums from multiple sources when applicable  Log all of your actions
Why Do You Want a Pen-Test?  If you want to measure risk, think about an assessment which will give you a better review of the current security mechanisms.  A penetration test is used to show where security fails.  Can test intrusion detection and incident response  Can be used to justify the need for an upgrade, bigger budget, or to validate risk assessments.
What are your boundaries?  Be as aggressive as you can and work to be creative. Now is when you can use the “thinking out of the box” classes that we’ve taken.  Don’t get tunnel vision  Are you going to do physical penetrations?  Actually trying to break-in, vs  Wandering where you shouldn’t  What about “social engineering”?
More Boundaries to Consider  Application Service Providers (how can you use them?)  Externally hosted resources  Non-company equipment  All need to be addressed with each customer and agree upon.
Coordinating Activities  Identify activities, persons, processes, events that could affect the penetration test  Network quiet time  Major upgrades  Layoffs  Strikes  Administrator’s day off  Late at night when the NID monitoring staff is sleeping  Your advantage?
What’s your perspective?  Before proceeding, decide what perspective your team will take during the exercise.  What will the initial level of access and the amount of information be?  Outsider with no previous knowledge  Outsider with insider knowledge (with an inside partner or former insider)  Low level insider (end-user)  High level insider (system or network administrator)
The Authorization Letter  A signed letter from the “appropriate person”. This could be an officer, the CIO, owner, etc.  Includes:  Who will perform the test  When the test will be performed  Why the test is being performed  What types of activities will take place.  Includes targeted systems or locations  Customer contacts for verification  May include reasons to prematurely conclude the test  Request cooperation to minimize notification of your activities  Is legal review of the letter important?  May address liability issues
Premature Termination  Why would you end your test before the allotted time- frame?  Busted! The customer has detected your activities and sounded the alarm  You’ve caused a negative impact such as a network or system outage such as overzealous password guessing or flooding out the switch  You were slightly off on your IP addresses  You’ve achieved your goal  Remember, in general, success from your perspective does not equal success from your customer’s perspective.  Somebody generally goes home unhappy.
Turning a black-box pen test into a white-box pen test.  Depending on your target, can you obtain a “clone” of the target?  It is often a lot easier to experiment, play, and sometimes destroy a controlled system  For example, based on your finger printing results, you’ll have a pretty good idea of the current configuration. Configure another machine as a clone Borrow or buy a clone system
The Pen Test Team  The best team “enjoys” their particular area of expertise… Its more than just a job to them.  Because of the level of communication and coordination that is required, smaller teams work better.  Small is relative compared to the target, but 2 – 3 core people should suffice  Pull in experts as needed, i.e, BGP router expert, LDAP pro, etc.  It’s best to get the testers into a separate conference room, spare office, etc to collaborate with minimal distractions  I’ll take a person with stronger ethics over a person with strong technical skills.
Penetration Testing Methodology  Let’s walk through the following major steps of a pen- test:  Recon / Foot printing  Scanning  Enumeration  Exploiting / Penetrating  Privilege escalation as required  Data collection aka “limited pillaging”  Cleaning-Up  Prepare & Deliver Report / Presentation
Developing a methodology  Work on establishing your own methodology using pre-existing methodologies as guides:  SANS  Institute for Security and Open Source Methodologies (ISECOM)  Common Criteria  Complete a rough draft of your methodology before starting and finalize after your first penetration test.  Your methodology should be a living document.
Reconnaissance & Foot printing  Look, but don’t touch.  This is a lot of web-based searching and reviewing.  Fire-Up the Browser and review:  Monster/HotJobs/Dice, etc.  All Whois (www.allwhois.com)  ARIN Whois (www.arin.net)  Or APNIC, Ripe Whois, LAPNIC  Sam Spade Microsoft Windows application  Sam Spade.org  US SEC’s Edgar database
The Web: A little bit deeper  Here’s a Google search on “enable secret”. The poster has masked the first two octets of his IP address. But has left his company name in his e-mail!
Almost ready.  You must have a log-book of every activity that everybody does  Electronic or manual, just include the basics of who, what, when, and how.  Linux “script <filename>” command is a great tool to save your logs for each terminal session. Control-D exits and I use a convenient (but long) filename such as exchpt.gm.2008mar04.  Plan your efforts and communicate continuously with team members.
Murphy’s Law  Everything that goes wrong on the target host, network, or on the Internet from two weeks before you plug in to two weeks after you submit the report will be your fault.  Document everything!  Can you script operations to increase efficiency and reduce errors?
Physical Penetrations  As you enter through the loading dock, you don’t want to encounter the summer hire black-belt student who’s watched COPS too many times.  This is really why it is called the “get out of jail” letter.  Make sure it is in your pocket.  Plan and practice what you will do in the facility. Know what your “story” will be if questioned so the whole team gives the same answer.  Most times the guards will hold the door open for you.
Why do I want to get access?  Install sniffer on server or administrators network  Have console access (local exploits or maybe there is no PW protected screen saver).  Grab documents, configurations, any other documentation  Grab back-up tapes or other media for review  Make your own back-up
Social Engineering  The gentle art of deception, misrepresentation, and persuasion to get somebody to do something.  Sometimes it’s just asking the right question to the right person and sometimes, it’s setting an elaborate plan into action.  Check out Kevin Mitnick’s book “Art of Deception” for more information on Social Engineering and Ira Winkler’s book “Corporate Espionage” if you can find it.
Reviewing your traffic  Snort output in sniffing mode. Snort is great as it can be used to trigger alarms as required. Let’s you know when the target starts to fight back!
Simple Reviewing / Logging  Using TCPDump, you can review the data that you send and receive.  Not as easy to set alerts.
Firewalls are not your friend  Watch firewalls between you and the target  Unless it is part of your test, relocate.  For example, to attack machines on the perimeter, get a raw Internet account through an ISP.  Make sure you disable your personal firewalls on your machines  Note: you may also have to disable anti-virus software depending on what tools you are using.
Making some noise.  Key Point: Balance your noisy scans with your desired level of stealth  Firewall type could provide information into what types of scans are best suited  Firewalk is a great tool to use specifically crafted packets to locate targets behind a firewall.  Nmap can be used to perform any number of types of port scans.  Any tool can set off IDS or an alert administrator. Use VERY Carefully  Use only the tools you NEED
Scanning  SNMP can give information  Linux has “snmpwalk” built in  Can also use tools to walk the MIB and get configuration, routing, or other information.  Other tools such as Nmap and Nessus as well as many other tools are great choices.  Other specific tools such as SQLPing, WebProxy, etc will help.
Exploitation  So where do you find the vulnerabilities?  Let’s say Nessus identifies an RPC Statd Format String Vulnerability:  If you go into Google and search for “RPC Statd exploit code”, you are directed to:  http://downloads.securityfocus.com/ vulnerabilities/exploits/statd-toy.c
Is it that easy?  Just about. You’ve now got the code that you have to understand and compile.
Exploit Sites….Find your own!  www.packetstormsecurity.org  neworder.box.sk/  www.securiteam.com/exploits  www.hoobie.net/security/exploits/  www.insecure.org/sploits.html  www.astalavista.com/tools  IRC Channels  Usenet Groups
Privilege Escalation? Huh?  Privilege Escalation is used when you are able to get some level of access to a system, but it is not sufficient for what you need to do.  Essentially turning a system/process/user level account into a privileged account such as administrator or root.  An old favorite was “HK”. Working only on Microsoft Windows NT up to SP6, this would allow you to use:  “HK NC –l –p 23 –t –e cmd.exe”  There are still a lot of tools that do similar things.
Not everything needs code  Other than the physical and social engineering work, there are also:  Configuration flaws (ie, “backupuser” is part of the administrators group) and the account password is in the .ini file  The web-server does not use encrypted cookies and you can identify the pattern which allows you to get the info you need  The system administrators password is “admin”
I can’t write code!  Design Flaws  Web Server not appropriately protected because there is no firewall in front of it.  Logical Flaws  The client server application doesn’t check the password when the administrator logs on  Implementation Flaws  Firewall rules not set-up properly.  Wireless  Modem Scans
Cleaning up the mess  Return the system to the same state it was.  Remove all tools  If you don’t need to, I wouldn’t mess with the logs.  To fix or not fix the vulnerability you exploited. That is the question!
Writing It Up  Once you’ve completed your penetration test, it’s time to write it up.  Using the methodology that you’ve previously developed, I’d recommend a report similar to a Risk Assessment report:  Vulnerability Name  Business Impact (If desired)  Risk Level: 1 to 5, High, Med, Low, etc  Description: In detail what the problem is and how you found it.  Corrective Action: What must be done.  Group Responsible for corrective action.
Special Delivery  Get the report out no later than few days after the conclusion of the effort.  Before corrective actions are implemented, ensure that the distribution of the report is extremely limited.  Work with the customer to deliver a “non- abrasive / abusive” report.  No boasting, no finger-pointing, try to sanitize the report as much as possible to remove the names of the guilty.

More Related Content

DOCX
PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE .docx
danhaley45372
 
DOCX
PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE .docx
karlhennesey
 
PDF
PENETRATION TESTING LECTURE SLIDES start
Dorcask3
 
PPTX
HfghjgghjfDay02-Physical Pentesting.pptx
AlfredObia1
 
PPTX
Penentration testing
tahreemsaleem
 
PPT
Physical Security Assessments
Tom Eston
 
PPTX
NETWORK PENETRATION TESTING
Er Vivek Rana
 
PDF
The Art of Penetration Testing in Cybersecurity.
Expeed Software
 
PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE .docx
danhaley45372
 
PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE .docx
karlhennesey
 
PENETRATION TESTING LECTURE SLIDES start
Dorcask3
 
HfghjgghjfDay02-Physical Pentesting.pptx
AlfredObia1
 
Penentration testing
tahreemsaleem
 
Physical Security Assessments
Tom Eston
 
NETWORK PENETRATION TESTING
Er Vivek Rana
 
The Art of Penetration Testing in Cybersecurity.
Expeed Software
 

Similar to Pentesting hygt frde education of engi.ppt (20)

PDF
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Software Guru
 
PDF
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
PDF
DTS Solution - Penetration Testing Services v1.0
Shah Sheikh
 
PDF
What is pentest
itissolutions
 
PPTX
Web application Testing
OWASP Foundation
 
PDF
Penetration testing using metasploit framework
PawanKesharwani
 
PDF
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal
 
PPT
Software Security Testing
srivinayak
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PDF
Cyber security series vulnerability assessments
Jim Kaplan CIA CFE
 
PPTX
Dncybersecurity
Anne Starr
 
PDF
Vulnerability Assessment and Penetration Testing Report
Rishabh Upadhyay
 
PDF
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
prasunkagrawal
 
PDF
WTF is Penetration Testing
NetSPI
 
PPTX
Advice for CyberSecurity Penetration testing
dp40991
 
PDF
WTF is Penetration Testing
Scott Sutherland
 
PDF
An overview of network penetration testing
eSAT Publishing House
 
PDF
What is Penetration & Penetration test ?
Bhavin Shah
 
PPTX
Assessing network security
Abhinit Kumar Sharma
 
PDF
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Shah Sheikh
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Software Guru
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
DTS Solution - Penetration Testing Services v1.0
Shah Sheikh
 
What is pentest
itissolutions
 
Web application Testing
OWASP Foundation
 
Penetration testing using metasploit framework
PawanKesharwani
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal
 
Software Security Testing
srivinayak
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Cyber security series vulnerability assessments
Jim Kaplan CIA CFE
 
Dncybersecurity
Anne Starr
 
Vulnerability Assessment and Penetration Testing Report
Rishabh Upadhyay
 
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
prasunkagrawal
 
WTF is Penetration Testing
NetSPI
 
Advice for CyberSecurity Penetration testing
dp40991
 
WTF is Penetration Testing
Scott Sutherland
 
An overview of network penetration testing
eSAT Publishing House
 
What is Penetration & Penetration test ?
Bhavin Shah
 
Assessing network security
Abhinit Kumar Sharma
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Shah Sheikh
 
Ad

Recently uploaded (20)

PDF
Virat Kohli- the Pride of Indian cricket
kushpar147
 
PPTX
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
PPTX
Kanban Cards _ Mass Action in Odoo 18.2 - Odoo Slides
Celine George
 
PPTX
TEF & EA Bsc Nursing 5th sem.....BBBpptx
AneetaSharma15
 
PDF
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
PPTX
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
PPTX
Artificial-Intelligence-in-Drug-Discovery by R D Jawarkar.pptx
Rahul Jawarkar
 
DOCX
Unit 5: Speech-language and swallowing disorders
JELLA VISHNU DURGA PRASAD
 
PPTX
Basics and rules of probability with real-life uses
ravatkaran694
 
PPTX
Introduction to pediatric nursing in 5th Sem..pptx
AneetaSharma15
 
PDF
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
PPTX
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
PPTX
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
PPTX
Dakar Framework Education For All- 2000(Act)
santoshmohalik1
 
PDF
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
PPTX
INTESTINALPARASITES OR WORM INFESTATIONS.pptx
PRADEEP ABOTHU
 
PPTX
Python-Application-in-Drug-Design by R D Jawarkar.pptx
Rahul Jawarkar
 
PPTX
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
PPTX
family health care settings home visit - unit 6 - chn 1 - gnm 1st year.pptx
Priyanshu Anand
 
PPTX
Measures_of_location_-_Averages_and__percentiles_by_DR SURYA K.pptx
Surya Ganesh
 
Virat Kohli- the Pride of Indian cricket
kushpar147
 
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
Kanban Cards _ Mass Action in Odoo 18.2 - Odoo Slides
Celine George
 
TEF & EA Bsc Nursing 5th sem.....BBBpptx
AneetaSharma15
 
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
Artificial-Intelligence-in-Drug-Discovery by R D Jawarkar.pptx
Rahul Jawarkar
 
Unit 5: Speech-language and swallowing disorders
JELLA VISHNU DURGA PRASAD
 
Basics and rules of probability with real-life uses
ravatkaran694
 
Introduction to pediatric nursing in 5th Sem..pptx
AneetaSharma15
 
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
Dakar Framework Education For All- 2000(Act)
santoshmohalik1
 
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
INTESTINALPARASITES OR WORM INFESTATIONS.pptx
PRADEEP ABOTHU
 
Python-Application-in-Drug-Design by R D Jawarkar.pptx
Rahul Jawarkar
 
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
family health care settings home visit - unit 6 - chn 1 - gnm 1st year.pptx
Priyanshu Anand
 
Measures_of_location_-_Averages_and__percentiles_by_DR SURYA K.pptx
Surya Ganesh
 
Ad

Pentesting hygt frde education of engi.ppt

  • 1. The Art of Penetration Testing Breaking in before the bad guys! Author unknown
  • 2. Goals (Why am I here?)  Define the penetration test, also called a pen test and “ethical hacking”  Talk about legal issues  Set some boundaries…goals  Talk about when things go bad  Walk through the major pen test steps  Introduction to some tools
  • 3. What is it?  Penetration Test:  Identifying vulnerabilities of a particular system, application, network, or process  Exploiting those vulnerabilities to demonstrate that the security mechanisms can and will fail  The good guys usually get some small piece of proof and exit as quietly as they came
  • 4. Legal Issues Before You Start  First, can you do what you want to do where you want to do it?  Is a war-dial legal against your own systems when going through a central office?  Make sure you are protected with a “Letter of Authority”.  Protect yourself with a “Get out of jail” type letter. More to come.  Encrypt your data. You don’t want to be liable if your data is compromised.
  • 5. More Lawyer Speak  Watch, and throttle if necessary, your generated network traffic…Think stealth and covert.  Think through your actions before doing them.  Run these tools at your own risk. I am not responsible  Test them on a stand-alone network with a network sniffer and review the source code  Obtain tools from the source  Verify checksums from multiple sources when applicable  Log all of your actions
  • 6. Why Do You Want a Pen-Test?  If you want to measure risk, think about an assessment which will give you a better review of the current security mechanisms.  A penetration test is used to show where security fails.  Can test intrusion detection and incident response  Can be used to justify the need for an upgrade, bigger budget, or to validate risk assessments.
  • 7. What are your boundaries?  Be as aggressive as you can and work to be creative. Now is when you can use the “thinking out of the box” classes that we’ve taken.  Don’t get tunnel vision  Are you going to do physical penetrations?  Actually trying to break-in, vs  Wandering where you shouldn’t  What about “social engineering”?
  • 8. More Boundaries to Consider  Application Service Providers (how can you use them?)  Externally hosted resources  Non-company equipment  All need to be addressed with each customer and agree upon.
  • 9. Coordinating Activities  Identify activities, persons, processes, events that could affect the penetration test  Network quiet time  Major upgrades  Layoffs  Strikes  Administrator’s day off  Late at night when the NID monitoring staff is sleeping  Your advantage?
  • 10. What’s your perspective?  Before proceeding, decide what perspective your team will take during the exercise.  What will the initial level of access and the amount of information be?  Outsider with no previous knowledge  Outsider with insider knowledge (with an inside partner or former insider)  Low level insider (end-user)  High level insider (system or network administrator)
  • 11. The Authorization Letter  A signed letter from the “appropriate person”. This could be an officer, the CIO, owner, etc.  Includes:  Who will perform the test  When the test will be performed  Why the test is being performed  What types of activities will take place.  Includes targeted systems or locations  Customer contacts for verification  May include reasons to prematurely conclude the test  Request cooperation to minimize notification of your activities  Is legal review of the letter important?  May address liability issues
  • 12. Premature Termination  Why would you end your test before the allotted time- frame?  Busted! The customer has detected your activities and sounded the alarm  You’ve caused a negative impact such as a network or system outage such as overzealous password guessing or flooding out the switch  You were slightly off on your IP addresses  You’ve achieved your goal  Remember, in general, success from your perspective does not equal success from your customer’s perspective.  Somebody generally goes home unhappy.
  • 13. Turning a black-box pen test into a white-box pen test.  Depending on your target, can you obtain a “clone” of the target?  It is often a lot easier to experiment, play, and sometimes destroy a controlled system  For example, based on your finger printing results, you’ll have a pretty good idea of the current configuration. Configure another machine as a clone Borrow or buy a clone system
  • 14. The Pen Test Team  The best team “enjoys” their particular area of expertise… Its more than just a job to them.  Because of the level of communication and coordination that is required, smaller teams work better.  Small is relative compared to the target, but 2 – 3 core people should suffice  Pull in experts as needed, i.e, BGP router expert, LDAP pro, etc.  It’s best to get the testers into a separate conference room, spare office, etc to collaborate with minimal distractions  I’ll take a person with stronger ethics over a person with strong technical skills.
  • 15. Penetration Testing Methodology  Let’s walk through the following major steps of a pen- test:  Recon / Foot printing  Scanning  Enumeration  Exploiting / Penetrating  Privilege escalation as required  Data collection aka “limited pillaging”  Cleaning-Up  Prepare & Deliver Report / Presentation
  • 16. Developing a methodology  Work on establishing your own methodology using pre-existing methodologies as guides:  SANS  Institute for Security and Open Source Methodologies (ISECOM)  Common Criteria  Complete a rough draft of your methodology before starting and finalize after your first penetration test.  Your methodology should be a living document.
  • 17. Reconnaissance & Foot printing  Look, but don’t touch.  This is a lot of web-based searching and reviewing.  Fire-Up the Browser and review:  Monster/HotJobs/Dice, etc.  All Whois (www.allwhois.com)  ARIN Whois (www.arin.net)  Or APNIC, Ripe Whois, LAPNIC  Sam Spade Microsoft Windows application  Sam Spade.org  US SEC’s Edgar database
  • 18. The Web: A little bit deeper  Here’s a Google search on “enable secret”. The poster has masked the first two octets of his IP address. But has left his company name in his e-mail!
  • 19. Almost ready.  You must have a log-book of every activity that everybody does  Electronic or manual, just include the basics of who, what, when, and how.  Linux “script <filename>” command is a great tool to save your logs for each terminal session. Control-D exits and I use a convenient (but long) filename such as exchpt.gm.2008mar04.  Plan your efforts and communicate continuously with team members.
  • 20. Murphy’s Law  Everything that goes wrong on the target host, network, or on the Internet from two weeks before you plug in to two weeks after you submit the report will be your fault.  Document everything!  Can you script operations to increase efficiency and reduce errors?
  • 21. Physical Penetrations  As you enter through the loading dock, you don’t want to encounter the summer hire black-belt student who’s watched COPS too many times.  This is really why it is called the “get out of jail” letter.  Make sure it is in your pocket.  Plan and practice what you will do in the facility. Know what your “story” will be if questioned so the whole team gives the same answer.  Most times the guards will hold the door open for you.
  • 22. Why do I want to get access?  Install sniffer on server or administrators network  Have console access (local exploits or maybe there is no PW protected screen saver).  Grab documents, configurations, any other documentation  Grab back-up tapes or other media for review  Make your own back-up
  • 23. Social Engineering  The gentle art of deception, misrepresentation, and persuasion to get somebody to do something.  Sometimes it’s just asking the right question to the right person and sometimes, it’s setting an elaborate plan into action.  Check out Kevin Mitnick’s book “Art of Deception” for more information on Social Engineering and Ira Winkler’s book “Corporate Espionage” if you can find it.
  • 24. Reviewing your traffic  Snort output in sniffing mode. Snort is great as it can be used to trigger alarms as required. Let’s you know when the target starts to fight back!
  • 25. Simple Reviewing / Logging  Using TCPDump, you can review the data that you send and receive.  Not as easy to set alerts.
  • 26. Firewalls are not your friend  Watch firewalls between you and the target  Unless it is part of your test, relocate.  For example, to attack machines on the perimeter, get a raw Internet account through an ISP.  Make sure you disable your personal firewalls on your machines  Note: you may also have to disable anti-virus software depending on what tools you are using.
  • 27. Making some noise.  Key Point: Balance your noisy scans with your desired level of stealth  Firewall type could provide information into what types of scans are best suited  Firewalk is a great tool to use specifically crafted packets to locate targets behind a firewall.  Nmap can be used to perform any number of types of port scans.  Any tool can set off IDS or an alert administrator. Use VERY Carefully  Use only the tools you NEED
  • 28. Scanning  SNMP can give information  Linux has “snmpwalk” built in  Can also use tools to walk the MIB and get configuration, routing, or other information.  Other tools such as Nmap and Nessus as well as many other tools are great choices.  Other specific tools such as SQLPing, WebProxy, etc will help.
  • 29. Exploitation  So where do you find the vulnerabilities?  Let’s say Nessus identifies an RPC Statd Format String Vulnerability:  If you go into Google and search for “RPC Statd exploit code”, you are directed to:  http://downloads.securityfocus.com/ vulnerabilities/exploits/statd-toy.c
  • 30. Is it that easy?  Just about. You’ve now got the code that you have to understand and compile.
  • 31. Exploit Sites….Find your own!  www.packetstormsecurity.org  neworder.box.sk/  www.securiteam.com/exploits  www.hoobie.net/security/exploits/  www.insecure.org/sploits.html  www.astalavista.com/tools  IRC Channels  Usenet Groups
  • 32. Privilege Escalation? Huh?  Privilege Escalation is used when you are able to get some level of access to a system, but it is not sufficient for what you need to do.  Essentially turning a system/process/user level account into a privileged account such as administrator or root.  An old favorite was “HK”. Working only on Microsoft Windows NT up to SP6, this would allow you to use:  “HK NC –l –p 23 –t –e cmd.exe”  There are still a lot of tools that do similar things.
  • 33. Not everything needs code  Other than the physical and social engineering work, there are also:  Configuration flaws (ie, “backupuser” is part of the administrators group) and the account password is in the .ini file  The web-server does not use encrypted cookies and you can identify the pattern which allows you to get the info you need  The system administrators password is “admin”
  • 34. I can’t write code!  Design Flaws  Web Server not appropriately protected because there is no firewall in front of it.  Logical Flaws  The client server application doesn’t check the password when the administrator logs on  Implementation Flaws  Firewall rules not set-up properly.  Wireless  Modem Scans
  • 35. Cleaning up the mess  Return the system to the same state it was.  Remove all tools  If you don’t need to, I wouldn’t mess with the logs.  To fix or not fix the vulnerability you exploited. That is the question!
  • 36. Writing It Up  Once you’ve completed your penetration test, it’s time to write it up.  Using the methodology that you’ve previously developed, I’d recommend a report similar to a Risk Assessment report:  Vulnerability Name  Business Impact (If desired)  Risk Level: 1 to 5, High, Med, Low, etc  Description: In detail what the problem is and how you found it.  Corrective Action: What must be done.  Group Responsible for corrective action.
  • 37. Special Delivery  Get the report out no later than few days after the conclusion of the effort.  Before corrective actions are implemented, ensure that the distribution of the report is extremely limited.  Work with the customer to deliver a “non- abrasive / abusive” report.  No boasting, no finger-pointing, try to sanitize the report as much as possible to remove the names of the guilty.