Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003

Security Penetration Services  Goal: help organizations secure their systems  Skill set: equivalent to system administrators  Record keeping & ethics

Announced vs. Unannounced Penetration Testing  Announced testing  Pros Efficient Team oriented  Cons Holes may be fixed as discovered & block further penetration False sense of security  Unannounced testing  Pros Greater range of testing  Cons Response may block further penetration Requires strict escalation process Impact operations

Rules of Engagement  Type of attacks allowed (no DoS)  Off-limits machines & files (passwords)  Designated machines or networks  Test Plan  Contacts

Penetration Testing Phases  Footprint  Scanning/Probing  Enumeration  Gain Access  Escalate Privileges  Exploit  Cover Tracks  Create Backdoors

Footprinting  Profile target passively Address blocks Internet IP addresses Administrators  Techniques Googling Whois lookups

Scanning/Probing: nmap  Active probing  NMAP Port scanner  Discovers: Available Hosts Ports (services) OS & version Firewalls Packet filters

Scanning/Probing: nessus   Vulnerability scanning Common configuration errors Default configuration weaknesses Well-known vulnerabilities

Enumeration: hackbot  Identify accounts, files & resources  Ws.obit.nl/hackbot  Finds: CGI Services X connection check

Gaining Access: packet captures  Eavesdropping  Ethereal,

Physical Access  Boot loader & BIOS vulnerabilities  GRUB loader No password Allows hacker to boot into single- user w/root access  Password crackers John the Ripper Crack

Wireless Security  War driving with directional antenna  Wired Equivalent Privacy (WEP) vulnerabilities  Penetration Tools: WEPcrack AirSnort

Counter Measures1  Update latest patches.  Change default settings/options  Setup password and protect your password file.  Install anti-virus software and keep it updated.

Counter Measures2  Install only required softwares, open only required ports.  Maintain a good backup.  Set BIOS password, system loader password, or other passwords that necessary.  Have a good emergency plan.

Counter Measures3  Monitor your system if possible.  Have a good administrator.

Future Improvements  Correction of weaknesses uncovered by the penetration exercise  Automate and customize the penetration test process  Use of intrusion detection systems  Use of honeypots and honeynets

Demo: Retina Network Security Scanner  Created by eEye Digital Security, Retina Network Security Scanner is recognized as the #1 rated network vulnerability assessment scanner by Network World magazine.  Retina sets the standard in terms of speed, ease of use, reporting, non-intrusiveness and advanced vulnerability detection capabilities.  Retina incorporates the most comprehensive and up- to-date vulnerabilities database -- automatically downloaded at the beginning of every Retina session.

Bibliography  Klevinsky, et. al. Hack I.T.-Security Through Penetration Testing. ISBN  McClure, et. al. Hacking Exposed: Network Security Secrets and Solutions, 2nd edition, ISBN  Sage, Scott & Lear, Lt. Col. Tom. “A Penetration Analysis of UCCS Network Lab Machines,” March, UCCS course CS691c.  Warren Kruse, et. al. Computer Forensics. ISBN  Ed Skoudis, et. al. Counter Hack. ISBN  Lance Spitzner, et. al. Honeypots. ISBN  Retina network security scanner,