Transcript Mapping the Pen Tester`s Mind
1
Mapping The Penetration Tester’s Mind
0 to Root in 60 Min #MappingThePenTestersMind
2
1 Introduction 2
Methodology
3
Tools
4
Technical Walkthrough of Testing
5
Further Learning
6
Questions
Who is this guy in front of me??
3 GOOD Question Background: • Penetration Tester for 12 years • Network Engineer for 13 years • In IT for 15 years • Regulatory Technology Tester 5 years • Specializes in mobile technologies and communications • Social Engineering • Physical Security
4 Who is this guy in front of me??
Talks: • NotACon • Secure360 • SecurityBSides • Chicago • Rochester • Dallas-Fort Worth • Los Angeles • Las Vegas • DeepSec • SecTor • ISSA / ISSACA Meetings • Hacker Space Invitationals
Who is this guy in front of me??
Publications: • “Mapping The Penetration Tester’s Mind: An Auditors Introduction to PenTesting” (Book) – Late 2012 • “Mapping The Penetration Tester’s Mind: An Auditors Introduction To PenTesting” (Presentation) – 2012 • “Mapping The Penetration Tester’s Mind: 0 to Root in 60 Min” - 2012 • “Weaponizing The Smartphone – Protecting Against The Perfect WMD” – 2011 • “Weaponizing The Smartphone – Deploying The Perfect WMD” – 2011 • “Don’t Bit The ARM That Feeds You – Integrating Mobile Technologies Securely Into Mature Security Programs” – 2011 • “Bond Tech – I Want More Than Movie Props” - 2011 5
INTRODUCTION • What is a penetration test?
– A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.
wikipedia 6
INTRODUCTION • Penetration tests are valuable for several reasons: – Determining the feasibility of a particular set of attack vectors – Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence – Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software – Assessing the magnitude of potential business and operational impacts of successful attacks – Testing the ability of network defenders to successfully detect and respond to the attacks – Providing evidence to support increased investments in security personnel and technology Wikipedia 7
INTRODUCTION • Testing Types – White Box Testing • In penetration testing, white-box testing refers to a methodology where an ethical hacker has full knowledge of the system being attacked. The goal of a white-box penetration test is to simulate a malicious insider who has some knowledge and possibly basic credentials to the target system.
– Black Box Testing • In penetration testing, black-box testing refers to a methodology where an ethical hacker has no knowledge of the system being attacked. The goal of a black-box penetration test is to simulate an external hacking or cyber warfare attack.
wikipedia 8
1
Introduction
2 Methodology 3
Tools
4
Mapping The PenTester’s Mind
5
Further Learning
6
Questions
METHODOLOGY 10
METHODOLOGY Reconnaissance – Using non-intrusive methods to enumerate information about the network under test. DNS, Whois and Web searching are used.
– Objective: • To enumerate the target organization's “Internet Footprint”, which represents the sum of all active IP addresses and listening services and to identity potential vulnerabilities 11
METHODOLOGY
Network Surveying & Vulnerability Scanning
– This is the process of refining the target list produced during the passive reconnaissance phase by using more intrusive methods such as port scanning, service and OS fingerprinting, and vulnerability scanning. Nmap, Nexpose and other scanning tools are used.
– Objective: • To obtain visibility in the network; Determining which devices are targets and enumerating possible threats to the network.
12
METHODOLOGY
Vulnerability Research & Verification
– In this phase, a vulnerability scanner is run against the devices gathered in previous phases. – Objective: • To take knowledge gathered in previous phases, check for known vulnerabilities and configuration error. – Objective: • To obtain access to services and devices that are not available through configuration error and vulnerability exploitation.
13
METHODOLOGY •
Password Attacks
– Services with authenticated logins are tested against a username and password list created in previous phases. – Objective: • To verify password policies, best practices, and complexity requirements are in use and properly enforced.
14
METHODOLOGY •
Reporting and Analysis
– In this phase, an analysis of the results found during the automated and manual aspects of the assessment.
– Objective: • To build a deliverable containing the greatest risks to the organization being testing.
15
1
Introduction
2
Methodology
3 Tools 4
Mapping The PenTester’s Mind
5
Further Learning
6
Questions
TOOLS 17
1
Introduction
2
Methodology
3
Tools
4 Mapping The PenTester’s Mind 5
Further Learning
6
Questions
19 Mapping The PenTester’s Mind
Who should do the test?
Mapping The PenTester’s Mind • Interview the vendor AND the Tester • Experience Levels of the Tester – Free range – Enterprise class • Know the data retention policy • Create a relationship with your tester – they are your guide not only an employee or consultant 20
21 Mapping The PenTester’s Mind
SOWs & SCOPE
Before you begin…
• The single most important thing to have when performing a penetration test is permission • The second is a clear scope for your testing • Then… – Identify any testing restrictions such as black outs or DoS attacks – Discuss real-time disclosures of immediate risks – Establish an emergency escalation process in the event the testing goes awry 22
Watch out!
• Don’t assume that everyone is aware of your testing. Many times the proper staff is not notified of on going testing until it is too late • Be careful when impersonating real third party companies • Verify IP typos during testing • Get permission if you are going to poke a vulnerable box that is out of scope
24 Mapping The PenTester’s Mind
DISCOVER TARGETS
25 NMAP
Metasploit Scanning 26
Metasploit Scanning 27
28 Mapping The PenTester’s Mind
VULNERABILITY ASSESSMENT
Nexpose Scanning 29
Nexpose Scanning 30
31 Mapping The PenTester’s Mind
MAN IN THE MIDDLE
EXECUTE ARP POISON 32
33 Mapping The PenTester’s Mind
EXPLOITATION
Mapping The PenTester’s Mind • Low Hanging Fruit • Think outside the box • Exploitation does not always require there to be a technical vulnerability • Leverage the Human Factor • Administrators want things to be easy to support 34
MS08-067 35
MS08-067 36
37 Mapping The PenTester’s Mind
38 Mapping The PenTester’s Mind
39 Mapping The PenTester’s Mind
CREDENTIAL AND HASH COLLECTION
COLLECTING CREDENTIALS – HTTP/HTTPS 40
COLLECTING CREDENTIALS - SMB 41
42 Mapping The PenTester’s Mind
43 Mapping The PenTester’s Mind
44 Mapping The PenTester’s Mind
45 Mapping The PenTester’s Mind
PASS-THE-HASH
(NOT THAT KIND)
46 Mapping The PenTester’s Mind
47 Mapping The PenTester’s Mind
48 Mapping The PenTester’s Mind
49 Mapping The PenTester’s Mind
PSEXEC WITH A LOCAL ACCOUNT HASH 50
PSEXEC WITH A LOCAL ACCOUNT HASH 51
CREATE LOCAL ADMINISTRATOR ACCOUNT 52
REMOTE DESKTOP VIA RAPID7 LOCAL ADMIN 53
54 Mapping The PenTester’s Mind
LOCAL ADMIN… MEH, THAT’S NOT MY DOMAIN
55 Mapping The PenTester’s Mind
INCOGNITO
56 Mapping The PenTester’s Mind
57 Mapping The PenTester’s Mind
58 Mapping The PenTester’s Mind
59 Mapping The PenTester’s Mind
60 Mapping The PenTester’s Mind
61 Mapping The PenTester’s Mind
62 Mapping The PenTester’s Mind
63 Mapping The PenTester’s Mind
64 Mapping The PenTester’s Mind
65 Mapping The PenTester’s Mind
66 Mapping The PenTester’s Mind
67 Mapping The PenTester’s Mind
68 Mapping The PenTester’s Mind
PSEXEC
PSEXEC WITH DOMAIN ADMIN ACCOUNT 69
SESSIONS CREATED WITH CREATED DOMAIN ADMIN 70
71 COMPLETE DOMAIN CONTROL
72 Mapping The PenTester’s Mind
MY HARDWARE IS SAFE RIGHT??
NETWORK HARDWARE ACCESS – SSH SESSIONS 73
74 LOCAL ACCESS
I trust ALL of my contractors…
75 BOOT FROM USB
76 BOOT TO UNAUTHORIZED OS
MOUNT AND ACCESS LOCAL HARDDRIVE 77
78 REPLACE Sethc.exe
SYSTEM LEVEL CMD PROMPT ON LOGIN SCREEN 79
1
Introduction
2
Methodology
3
Tools
4
Mapping The PenTester’s Mind
5 Further Learning 6
Questions
Further Learning • www.offensive security.com/metasploit-unleashed • community.Rapid7.com
• SecurityBSides.com < WOOT WOOT!!
• Metasploit: The Penetration Tester's Guide • by David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni • Local DC (DefCon) Groups & Meetings • Local Hackerspaces 81
Mapping The PenTester’s Mind Taking a step by step approach makes the expansiveness of a network becomes very narrow and a single vulnerability can lead to a larger problem. 82
1
Introduction
2
Methodology
3
Tools
4
Mapping The PenTester’s Mind
5
Further Learning
6 Questions
84 Questions?
Kizz MyAnthia – Nick D.
Senior Penetration Tester E-mail: [email protected]
Website: www.KizzMyAnthia.com
Twitter: @Kizz_My_Anthia www.metasploit.com
www.rapid7.com
www.SecurityBSides.com