Upload
annis
View
38
Download
0
Embed Size (px)
DESCRIPTION
Basic Expectations and Performance. B usiness of Penetration Testing. Disclaimer. Hacking is illegal and should not be performed. This presentation does not condone or approve of hacking in any way. - PowerPoint PPT Presentation
Citation preview
Business of Penetration Testing
Basic Expectations and Performance
Disclaimer
Hacking is illegal and should not be performed. This presentation does not condone or approve of hacking in any way.
Penetration Testing is an agreed form of audit between two parties and should be bound in writing defining the scope and nature of what is to be audited.
This presentation is solely for academic and educational purposes only.
What will be covered
Initial planning of the audit External Scanning/Footprinting Internal Scanning Vulnerability Assessment John the Ripper usage Metasploit basics Post-audit reporting
What is Penetration Testing Type of audit to assess security of a
system Provides feedback to the stakeholder
what their security posture is like Enumerates weaknesses and gives
countermeasures/suggestions to strengthen
Planning an Audit
Penetration Test may be included in a scheduled audit or independently
May be announced or unannounced Define the scope Decide who will perform the audit
▪ Conflict of interest▪ Non-trusted party
Client-side Negotiations
Ensure the scope is clearly understood by both parties
Understand what the auditors are capable of testing Certified?
As the client negotiating, remain in control
Get bids- Gives a good comparison of prices
Auditor-side Negotiations Understand your responsibility to the
client Your access/attempted access will be
privileged Try to be as non-invasive as possible
unless given permission Sometimes a proof-of-concept is all
that’s needed The client expects a report. Ensure
deliverables are agreed on
Beginning the Audit
Business is at stake, know when to begin Remember that this is an audit and that
every activity must be documented External activity is not exempt from
documentation. Keep a mindset as if you were collecting
evidence Prepare your tools▪ Run updates on your software▪ Pack extra batteries
Logistical Planning
Planning is crucial for every step taken Plan to meet Plan for introductions Plan for the surprise attacks Plan for the unexpected
Plan to introduce presence to the unsuspecting▪ In cases of unannounced audits, special actions
may need to have preparations in case caught or blown cover
External Port Scanning
Port scanning from the internet is simple Need the public IP Address for the
company Run a port scanner (NMAP) with options
and discover what port are open. If a known port is found, scripts are
good at discovering the security state of that port. Scripts that are available online can be a
huge threat since anyone can use them.
Email Tracing
Look at email traces. Provides IP Addresses to mail servers IP Addresses can lead to more
destinations on the internet for scanning and profiling
Down side IP Addresses can lead to web hosted
email services Sometimes the PTR’s can lead to a host
with a robust firewall as a dead end.
Web Site Profiling
Web site can give good information when looking for emails, executives, and technical staff.
Excellent for social engineering attempts.
If there are interactive web pages, further research can uncover exploitable items (XSS,web injections, or simple valid queries)
Internal Testing
Depends on the scope and plan Performing undercover scans and
testing is best done before introducing to the unsuspecting.
Good time to also social engineer, test policies, and scan wireless Test policies for information control Use kismet or other wireless scanner
Internal Testing
After presence is known, ensure the IT staff knows what type of testing will be performed, expectations of event logs, and NOT to adjust security posture during the audit.
Begin Scanning
Survey the network in any case whether you know the network diagram or are blind testing
Scans include all devices on the network, their Operating System, open ports, and services running
If feasible, look for open access ports to the network in discreet areas. Ideal for placing your own wireless
access points
Network Scans
Try the low hanging fruit Check network places and shared drives
for unrestricted access.▪ Copy machines may have onboard hard
drives with file sharing▪ Users may know enough to be dangerous
sharing folders
NMAP
Network scanner Identifies devices and Operating
Systems More quiet than pinging devices Uses the REQ,ACK,SYN for
communications Returns open ports and has options
for more stealthy operations on a sensitive network
Vulnerability Scanners
Nessus Free for personal use Linux can use apt-get Windows can download Requires registration before usage
openVAS Spin off of Nessus http://www.openvas.org/
Nessus
Enumerates vulnerabilities per device Web GUI provides easy usage and real-
time enumerations Works with Metasploit to provide a scan
and attempt at known vulnerabilities Requires database for saving Nessus scans
Use the “Search” in Metasploit to find modules relating to scans to begin probing
John the Ripper
Offline password cracker Used on SAM dumps, LANMAN, most
types of password hashes Can also be used to generate mangled
wordlists for uses with other tools. Know the how to write rules in john.conf
file Output file can be in a txt format Remember the john.pots file
Medusa or Hydra
Online password cracking Great for dictionary attacks
(wordlists) Best if used on known open ports Wordlists can be found online and
mangled with JTR for more complex P@55w0rds!
Pointers When Using Tools Read any precautionary comments before
starting. Some exploits could cause damage to databases or resources costing your client money
Try not to use client’s network to do quick research, it could contaminate results
Advise IT staff of certain network loading tests and log expectations
Ask, when in doubt if a critical resource is discovered vulnerable, about exploiting
Proof-of-concept may be all that is needed
Metasploit
Metasploit is an open source platform supports vulnerability research exploit development creation of custom security tools
Included in BackTrack distributions Recommend intense training to
master Metasploitable VM download
What is Happening...
Known vulnerability occurs in victim Related exploit is set in Metasploit Options are configured for the victim Payloads are viewed and selected
Payloads are what the attacker wishes to happen
Exploit occurs causing the victim process to crash
Payload is triggered
Pushing Greater Limits
Metasploit offers much more than the scope of this presentation Fuzzing protocols like IMAP and TFTP▪ Writing fuzzers can become the first step to
creating new exploits▪ Good for protocols on the network that have
no known module Password sniffing on the wire Creating backdoors to maintain access
Wrapping Up The Audit
Check for any open activities Confer with IT staff that all network
activity is normal Ensure all documentation is collected
Post-Audit
Generate documentation of all work performed Official audit report to the client Should incorporate summaries, details,
and exhibits Include screenshots and pictures taken Describe details of each action and what
threat it presents
Presentation
In most cases, a brief presentation to client and selected staff will be performed Include most significant threats
discovered and solutions Emphasize the impact of all negative
findings to the business Include positive notes where security
was solid
Post-Audit Report
Audit report is a confidential document to the client
It is an official report that will be integrated into reports of other audits for that client
Use encryption if delivering by email Exercise infosec in all cases regardless
of method used for communications Be thorough, use passive writing, use
pictures
In Conclusion
Instill confidence in your client and yourself
Know your capabilities and limits, personally and legally
Perform a thorough audit documenting as you go
Sharpen and research tools Deliver solid feedback and
suggestions
Questions
References & Research Sites http://www.offensive-security.com/m
etasploit-unleashed/Main_Page http://www.openwall.com/john/ http://www.openwall.com/john/doc/R
ULES.shtml http://thc.org/thc-hydra/ http://www.foofus.net/~jmk/medusa/
medusa.html http://www.tenable.com/products/ne
ssus http://nmap.org/ http://www.backtrack-linux.org/ https://www.owasp.org/index.php/Ma
in_Page