Mr. Mark Welton

     Definition, Concepts on Penetration Testing/Hacking What is the difference between Penetration Testing and Vulnerability Assessment What is the difference between Penetration Testing and Hacking Anatomy of a Hack How does Pentration Testing differ from the Anatomy of a Hack

       Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management. Using the failure of the system to violate the site security policy is called exploiting the vulnerability Penetration Testing computer system Wikipedia or malicious source, known as a Penetration Testing found in a system. is a method of evaluating the network by simulating an attack from a Black Hat Hacker security , or Cracker is a testing technique for discovering, of a . – understanding, and documenting the security holes that can be It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.

Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.

What is the difference between penetration testing and hacking/intrusion?

 ◦ ◦ ◦ Vulnerability Assessment: ◦ Typically is general in scope and includes a large assessment.

◦ Predictable. ( I know when those darn Security guys scan us.) Unreliable at times and high rate of false positives. (I’ve got a banner) Vulnerability assessment invites debate among System Admins.

Produces a report with mitigation guidelines and action items.  ◦ ◦ Penetration Testing: ◦ Focused in scope and may include targeted attempts to exploit specific vectors (Both IT and Physical) ◦ ◦ Unpredictable by the recipient. (Don’t know the “how?” and “when?”) Highly accurate and reliable. (I’ve got root!) Penetration Testing = Proof of Concept against vulnerabilities. Produces a binary result: Either the team owned you, or they didn't.

  Pen Tester’s have prior approval from Senior Management Hackers have prior approval from themselves.

  Pen Tester’s social engineering attacks are there to raise awareness Hackers social engineering attacks are there to trick the DMV into divulging sensitive information about the whereabouts of their estranged ex-spouse.

  Pen Tester’s war driving = geeks driving cars with really long antennas, license plate reading “r00t3d” while dying their hair green looking to discover the hidden, unapproved networks your users thought it would be OK to install for you.

Hackers wireless war driving doesn’t happen so often because 14 year olds typically don’t have their license yet.   Pen-testers have pink mohawks and wear trenchcoats in July. Hackers have pink mohawks and wear trenchcoats.... that they bought with your bank account info.

Hacking Methodology (Steps)

Footprinting Scanning Enumeration Gaining Access Escalating Privilege Pilferting Covering Tracks Creating Back Doors Denial of Service whois, nslookup Nmap, fping dumpACL, showmount legion, rpcinfo, Nessus Tcpdump, Lophtcrack NAT, Metasploit Johntheripper, getadmin Rhosts, userdata Config files, registry zap, rootkits Cron,at, startup folder netcat, keystroke logger remote desktop Synk4, ping of death tfn/stacheldraht

       Information gathering. Sam Spade is window-based network query tool.

Find out target IP address/phone number range ◦ Why check phone numbers?

Namespace acquisition. Network Topology (visualRoute).

It is essential to a “surgical” attack.

The key here is not to miss any details.

Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).

Defense: deploy NIDS (snort), RotoRouter

     Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry.

To avoid being detect, these tools can reduce frequency of packet sending and randomize the ports or IP addresses to be scanned in the sequence.

Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.

  Identify valid user accounts or poorly protected resource shares.

Most intrusive probing than scanning step.

 Based on the information gathered so far, make an informed attempted to access the target.

 If only user-level access was obtained in the last step, seek to gain complete control of the system.

  Webster's Revised Unabridged Dictionary (1913) ◦ Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered ; p. pr. & vb. n. Pilfering.] [OF. pelfrer. See petty theft. Pelf .] To steal in small quantities, or articles of small value; to practice Gather info on identify mechanisms to allow access of trusted systems.

 Once total ownership of the target is secured, hiding this fact from system administrators become paramount, before they react

 Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

 If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

Hacking Methodology

Footprintin g Scanning Enumeratio n Gaining Escalating Pilferting Covering Tracks Creating Back Doors Denial of Service

Penetration Testing Methodology

Footprintin g Scanning Enumeratio n Gaining Escalating Pilferting

  The good guys usually get some small piece of proof and exit as quietly as they came You have authority to do it

   First, can you do what you want to do where you want to do it?

◦ Is a war-dial legal against your own systems when going through a central office?

Make sure you are protected with a “Letter of Authority”. ◦ Protect yourself with a “Get out of jail” type letter Encrypt your data. You don’t want to be liable if your data is compromised

 Watch, and throttle if necessary, your generated network traffic…Think stealth and covert.

 Think through your actions before doing them.

 Run these tools at your own risk. You are responsible for what you do.

◦ Test them on a stand-alone network with a network sniffer and review the source code ◦ ◦ Obtain tools from the source Verify checksums from multiple sources when applicable

 Be as aggressive as you can and work to be creative. Now is when you can use the “thinking out of the box” classes that we’ve taken.

 Don’t get tunnel vision  Are you going to do physical penetrations?

◦ Actually trying to break-in, vs ◦ Wandering where you shouldn’t  What about “social engineering”?

 Application Service Providers (how can you use them?)  Externally hosted resources  Non-company equipment  All need to be addressed with each customer and agree upon.

 Identify activities, persons, processes, and events that could affect the penetration test: ◦ ◦ ◦ ◦ ◦ ◦ Network quiet time Major upgrades Layoffs Strikes Administrator’s day off Late at night when the NID monitoring staff is sleeping  Your advantage?

 Before proceeding, decide what perspective your team will take during the exercise.

 What will the initial level of access and the amount of information be?

◦ Outsider with no previous knowledge ◦ Outsider with insider knowledge (with an inside partner or former insider) ◦ ◦ Low level insider (end-user) High level insider (system or network administrator)

     ◦ ◦ ◦ ◦ could be an officer, the CIO, owner, etc.

Includes: ◦ Who will perform the test ◦ ◦ When the test will be performed Why the test is being performed What types of activities will take place.

Includes targeted systems or locations Customer contacts for verification May include reasons to prematurely conclude the test Request cooperation to minimize notification of your activities Is legal review of the letter important?

May address liability issues

 Why would you end your test before the allotted time-frame?

◦ ◦ ◦ ◦ ◦ ◦ Busted! The customer has detected your activities and sounded the alarm You’ve caused a negative impact such as a network or system outage You are not the person to successfully gain access You uncover such a significant vulnerability that you need to alert the system or network administrators You were slightly off on your IP addresses You’ve achieved your goal

 Remember, in general, success from your perspective does not equal success from your customer’s perspective.

◦ Somebody generally goes home unhappy.

◦ Watch morale issues on your team.

 Depending on your target, can you obtain a “clone” of the target?

 It is often a lot easier to experiment, play, and sometimes destroy a controlled system ◦ For example, based on your finger printing results, you’ll have a pretty good idea of the current configuration.

 Configure another machine as a clone  Borrow or buy a clone system

 You ◦ must everybody have a log-book of does every activity that Electronic or manual, just include the basics of who, what, when, and how.

 Linux “script ” command is a great tool to save your logs for each terminal session. Control-D exits and I use a convenient (but long) filename such as exchpt.gm.2003mar04.

 Plan your efforts and communicate continuously with team members.

 Everything that goes wrong on the target host, network, or on the Internet from two weeks before you plug in to two weeks after you submit the report will be your fault.

 Document everything!

 Can you script operations to increase efficiency and reduce errors?