A Discussion In Penetration Testing Marcial White

Introduction Definition of “Hacker” White Hat vs. Black Hat Open Source Methodologies

Penetration Testing Concepts What is a penetration test? –Public Image –Border Networks –Interior Networks What do they produce? –What don’t they produce? How extensive are they? White Box vs. Black Box

Methodology Overview Footprinting –Search Engine Hacking –Social Engineering –White Box Footprinting –Black Box Footprinting Network Enumeration Gaining Access to the Network Escalating Privileges Covering Your Tail Retaining Control –Rogue User Accounts If All Else Fails … Some Defenses

Google Hacking Zero-footprint profiling of the target Start with the simple stuff –Company Name Do popularity searches on the people you find in the first search Look for important looking people A full list of operators available at – For example, “ filetype:txt inurl:robots site:whitehouse.gov “

Social Engineering “The practical application of sociological principles to particular social problems” ( “the practice of obtaining confidential information by manipulation of legitimate users” (Wikipedia)Wikipedia Examples: Lord Nikon and Cereal Killah from Hackers (the most realistic hacking movie ever). Relying on people not reading the EULAs – the Microsoft PLUS! Scheme. Kevin Mitnick: The Art of Deception & The Art of Intrusion

White Box Footprinting Consult the existing network diagram Scan the network Compare results –Find running services –Find live hosts fping, ICMPenum, Ethereal –Record hops between an interior host and the border of the network (traceroute) WhoIs

Black Box Footprinting What do you know? –Most get a single IP to start with Find out what you can on that IP WhoIs it? – – –NSLookup –Visual Route – Tracker PRO (wooptyfriggindo) Often times more systems will be found than were reported. Document everything.

Enumerate the Network Overlaps a bit of the footprinting … NMap is your friend –XMAS Scan nmap –sX host.com –A successful XMAS scan will find one of two things »A closed port on a host will reply with RST »Open ports will lay conspicuously silent. –Fe3d for documentation nmap –oX filename.xml host.com

Nmap XMAS Scan

Fe3d

Gaining Access … Sniff passwords with a protocol analyzer Ethereal Etherpeek TCPDump Snort Nessus NASL NT Info Scan ReadSMB

Escalating Privileges Be SILENT! Brute Force Tools John The Ripper Cain and Abel L0phtCrack Trojan\Back doors Netbus “Remote Administration and Spy Tool” Man in the Middle Attacks Inherent TCP/IP flaws –Three Way Handshakes –Packet Headers –ARP »Ettercap

Unix\Linux rhosts files Usually located at ~/.rhosts »Recommended permissions: HostName -HostName Also of interest: /etc/host.equiv »Allows remote machines to execute commands on the local machine Windows LSA Secrets Older Windows machines (NT 3.51 – 4.0) Dumps various LSA secrets such as service passwords (plain text), cached password hashes of the last users to login to a machine, FTP, WEB, etc. plaintext passwords, RAS dial up account names, passwords etc, workstation passwords for domain access, etc.

Covering your tail It’s all in the configuration Command history ftp/telnet/ssh/etc logs Dynamically generated routing tables Logging daemons klogd metalog »Look in /var/log/, /etc/, /usr/bin Hide your tools Hidden files Obscure naming convention *nix »/.rootkits »Veto files »Burying the files *doze: »Hidden system files »Burying the files

Keeping your doors open Creating rogue user accounts Permissions »RWXRWXRWX »Groups »Creating accounts called “tty” Windows Administrator Retaining control cron jobs Keyloggers »Regload »LKL

Still can’t get in? Denial of service? »Yes! …. I mean, no! Resource Consumption »Attempts to use finite resources (memory, CPU, file handling) Poor programming »Vulnerable variables, which usually lead to more serious vulnerabilities »Ex: “The Register” HTML variables (exposed to phishing attacks

Conclusion … people suck. Do your homework. Be cool. Stay in school. Questions?