Transcript Document

Security Boot Camp
Intro
7/16/2015
Why this course
• A few years ago a few friends that used to
be part of a very successful attack and pen
team wrote a course very similar to this
• They now have remembered a course very
similar to the original so that everyone can
share the experience and gain a better
understanding of the subject matter
7/16/2015
Who is that Fat Man?
Mark holds the following
certifications:
•CISSP and CISM
•Checkpoint CCSA + CCSE
•Cisco CCNA + CSSP
•BA Computing + MBA
7/16/2015
What did Mark Do:
•The most popular 802.11 IDS
• Invent an IDS collation engine
•Discover several zero day
vulnerabilities
•Coin the term WAP-GAP
•The London Hacker survey
•Contribute to the CEH Cert
•Expert witness a famous dirty
tricks legal action
etc etc etc
Outline
• Overview of the types of hacking tools and
platforms used
• Sites used by hackers
• Building your white-hat hacker toolkit
7/16/2015
Origination of tools
• Tools tend to be freely downloadable from the
web
• Many tools shared via IRC
• Pirated – commercial tools are also available
• Many available through peer to peer programs
• Tools tend to be developed for specific
vulnerabilities
7/16/2015
Types of tools
 Network and system scanning/mapping
 Vulnerability scanning and testing (Nessus, whisker)
 Password crackers (Brutus, LC3)
 Encryption tools
 Network sniffers
 War dialling
7/16/2015
The Unix hacker toolkit
• Nmap – Port Scanner
• Nessus – Port scanner &
Vulnerability assessment
• Traceroute – with the source
route patch or LFT
• Hping2 – Scanning and
tracerouting tool
• Whisker – Web vulnerability
scanner (Nikto is also based on
Whisker)
• Stunnel/SSLPROXY– De-SSL
HTTP/s
• Sniffit – command line sniffer
• Netcat – raw socket access
7/16/2015
•
•
•
•
•
•
•
•
•
•
Tcpdump – command line sniffer
Icmptime
juggernaut
Net::SSLeay – SSL module for
PERL (for many tools)
John the Ripper – Password
cracker
Hunt/Sniper – TCP/IP connection
hijacking tool
nimrod – website enumerator
Spike archives
Ethereal – sniffer
dsniff
The Windows hacker toolkit
• Brutus – Brute force utility
• Mingsweeper – TCP/IP scanning
tool
• Superscan – TCP/IP scanning tool
• MPTraceroute/LFT
• SamSpade – Footprinting tool
• NessusWX – Nessus interface
• ISS Scanner / Cyber Cop
• Netstumbler – Wireless LAN
Scanner
• WinDump – tcpdump for Windows
7/16/2015
 Toneloc – War dialling tool
 Finger – Backdoor tool
 NetBios Auditing Tool (NAT)
 Netcat - Enumeration tool
 Legion – Enumeration tool
 LC3 (l0phtcrack)
The Windows hacker toolkit
cont.
• Cygwin – Unix like environment for Windows
(provides many UNIX command line tools
including shell & compiler)
• ToneLoc – Wardialling tool
• NT resource kit – many tools applicable to NT
network enumeration and penetration
• NMAP (Win32 port) -- available from
insecure.org
7/16/2015
Denial Of Service tools
From the spike package
 Land and Latierra
 Smurf & Fraggle
 Synk4
 Teardrop, newtear, bonk, syndrop
 Zombies
7/16/2015
Network Sniffers
 tcpdump
 Sniffit
 dsniff
 Observer
 Sniffer Pro
 Ethereal
 Snoop
7/16/2015
Underlying requirements
Certain tools, have pre-requisites before installation
• Perl
• SSLeay
• Open SSL
• Linux Variations
• Example: Whisker requires Perl to be installed
7/16/2015
Websites
Websites where tools can be found :
•
•
•
•
www.securityfocus.com
www.packetstormsecurity.org
www.astalavista.box.sk
www.securiteam.com
7/16/2015
Lab
• Visit the sites used for the hacker toolkit
and familiarise yourself with some of the
tools available
• Good searches:
– Denial of service
– Backdoor / netbus / backoriface
– http://www.securityfocus.com/ vulnerability
section
Time: 30 minutes
7/16/2015
-- Knoppix 3.7
• Bootable CD
• Boots in most Intel/AMD systems
• Linux 2.x with basic security tools
Also see Trustix, Trinux and Packetmaster on
sourceforge
7/16/2015
Lab
• Boot Linux (trinux Knoppix or
Packetmasters) and have a play
Time: 35 minutes
7/16/2015
A methodology
7/16/2015
A network penetration methodology
Passive
Research
Research
external
information
Scan
perimeter
router
Perimeter
testing
Map device &
append to asset
inventory
Accessible
server
testing
Scan servers
for security
exposures
Identify and
analyse
firewalls
other
servers?
Test Objective
To identify insecure protocols or
insecure settings of services related
to available protocols or services
7/16/2015
Analyse &
Report
Research Phase
Objective and Strategy
• Objective: Find out technical information about
the target site
– Using external information sources
– Not touching the target servers
• Strategy: Review information available from
–
–
–
–
DNS
RIPE
Netcraft
News groups (particularly firewall newsgroups)
7/16/2015
Identifying router and firewall
• Identify the Web or Mail server
• Get the Next-Hop before this
– This will probably be the perimeter router or the
firewall
– PIX does not appear as a hop (Fw1 & NetScreen do)
– 80% chance it will be NetScreen, PIX or Firewall 1
• To figure out which
–
–
–
–
ICMP ( i.e. Address Mask Request)
Use TCP Stack finger printing
Key ports (258, 259 + 263 could be firewall 1)
IPSEC
Exploit vulnerabilities with pre-written tools
7/16/2015
Hacking the servers
– Scan TCP ports
– Scan UDP ports
!!! Only HTTP or HTTPS ports should be visible
If it is a webserver etc
– Run CGI scanner (I.e. Whisker, Crazymad or Nikto) to
look for web server exploits
– Check Scanner
– Identify exploits
7/16/2015
Security Boot Camp
Intro
7/16/2015