• No results found

Ethical Hacking and Penetration Testing. Review of the obligatory litterature

N/A
N/A
Protected

Academic year: 2021

Share "Ethical Hacking and Penetration Testing. Review of the obligatory litterature"

Copied!
77
0
0

Loading.... (view fulltext now)

Full text

(1)

Ethical Hacking and

Penetration Testing

Review of the

(2)

Chptr 2

(3)

Definition Active vs. passive Stage 1 Stage 2 Active tools Passive tools DNS E-mail server Social Engineering Practicing reconnaissance

(4)

Definition

• Recconoissance

• Information Gathering

• Must be equal parts; Hacker, Social Engineer and Private Investigator

(5)

Active vs. passive

• Active rec. interacts with the target • Passive does not

• Use search engine, cached sites, phone

books, written material, public info on the web, etc.

• Be careful of the tools you use

(6)

Stage 1

• Search public information • Goal 1: Gather intel

• Goal 2: Sort and analyze the intel • ID services in the network

• Generate list of attackable IPs • ID personell/Employees

• Phone, Email, Soc.Med., tax records • ID physical layout

(7)

Stage 1

• Locate targets website(“active”) • Review closely

• HTTrack the site for offline viewing • Higly active interaction with target

• Look for; location, phone, email, srvices, hours of operation, business relation, employees,

Soc.Med, news, RSS-feed, job listing

(8)

Stage 1

• Passive rec. of target in search engine • Check out cached websites

• Find old, discarded and erased information

• Reduce footprints

• Passive as long as you don’t click on the links • Follow strategic key personell on Soc.Med.

(9)

Stage 2

• Review the recovered intel • Create

• Separate lists of all IP-addresses, e-mails, host names, and URLs

• Separate list of employees and information • Separate list of services running on the

(10)

Active Tools

• HTTrack: mirror site

• nslookup: queries DNS-servers for stored IP/ host mappings

• dig: Easy to perform a DNS zone transfer

• MetaGooFil: extract metadata from files, could be used for offline scanning too

(11)

Passive tools

• Search Engines: google, yahoo

• theHarvester: use search engines and to gather email, subdomains and user names

• Whois: gqet IP-address, hostnames og DNS, contact info. Check out the info in the referred URL.

• netCraft: Searches it’s stored information for info. on a URL.

• host: translate host-name to IP-address and vice versa

(12)

DNS

• Like finding a bluebprint to the system • Enumerate all IP-addresses

• DNS servers function for syncing is a zone transfer. DNS sends all host/IP mappings to another server.

(13)

E-mail server

• Contains significant pieces of information • Send a mail which will be rejected and

examine the corresponding

• Internet Header gives: IP-address, software vers. and brand of e-mail server

• The returned message gives: Antivirus used to scan the mail

(14)

Social Engineering

• Make people reveal information “willingly” • Physical contact, phishing, social interaction,

(15)

Practicing

recconnaissance

• Find a newspaper and choose an unknown corporate initiative

• Start performin PASSIVE recconnaissance • Use search engines

• Try SEAT(Search Engine Assessment Tool) • Try Google Hacking Database

(16)

Chptr 3

(17)

Overview Stage 1 Stage 2 Stage 3 Ping And Ping Sweeps Port Scanning Vulnerability Scanning Practising Port Scanning

(18)

Stages of scanning

• Stage 1:

• Determine if the system is alive • Poor reliability

• Stage 2:

• Port/service scan the system

• Find open/vulnerable services and ports on the system • Stage 3:

• Scan the system for vulnerabilities • ID vulnerable services and hosts

(19)

Stage 1

• Determine if the system is turned on • Determine if the system is capable of

communication with our host

(20)

Stage 2

• Port scanning

• Ports are a way for services to communicate with HW

• Scan the host list for ports • ID running services

(21)

Stage 3

• Vulnerability scanning

• Locate and ID known vulnerabilities in the services running on a target machine

• Begin by scanning the perimiter devices

• The intel gathered is from perimiter hosts • Not allways possible to gain internal access

• Conquer a perimiter device, then jump to internal host

(22)

Ping and Ping Sweep

• Ping

• ICMP Echo packet

• Tells if the host is up and running, may not reply anyway

• Ping sweep

• Automatic sending ICMP echo packets to a range of hosts to see which is up

(23)

Port Scanning

• ID which ports and services is available • Port range: 0 - 65.535, either TCP or UDP • Determine purpose of the host

• Creates a packet and send it to the hosts port

• Different type of port scans can produce different results • nMap or its GUI, “zenMap”

• -sT TCP scan: Completes the TCP hanshake

• -sS SYN scan: Faster only completes 2/3 of the TCP handshake • -sU UDP scan: Send a UDP packet to the host, slow but needed • Xmas scan: Scans for RFC-documented vulnereabilities and

loopholes

(24)

Vulnerability scanning

• Scan hosts for vulnerabilities on dedicated ports

• Nessus

(25)

Practicing

port scanning

• Set up a virtual machine network

• One BT5 and one Damn Vulnerable Linux, WinXP SP2/SP1 without upgrades

• Work through the scanning techniques in the book

• Work through the vulnerability scanning • Try other tools for port scanning and

(26)

Chptr 4

(27)

Definition Medusa Metasploit John The Ripper Password resetting Network sniffing macof; MAC flooding Fast-track autopawn Practice

(28)

Definition

• Process of gaining control over a system

• You need to expand the knowledge of systems and exploits when you’re becoming more

experienced

(29)

Medusa

• Pay attention to remote access

• SSH, Telnet, FTP, PC Anywhere, VNC

• Brute force uname/passwd gathered from recon • Medusa and Hydra; learn Hydra too

• Medusa

• Parallell brute force

• Cracks login of remote services: AFP, FTP, HTTP, IMAP, MySQL, POP3, SMTP-AUTH, SNMP, SSHv2, Telnet, VNC, Web Forum, and more

(30)

Metasploit

• Based on an exploit framework

• Structured to develop and launch exploits • Exploits: Functions to exploit vulns.

• Payloads: Tasks to do upon a successfull exploit

• General use

• Decide target -> Select exploit -> Choose payload -> Exploit

(31)

Metasploit

• Select target based on Nessus output

• Search metasploit for specific vulnerabilities

• Select corresponding exploit with high rank/dependability • Set parameters for exploits

• View payloads • Select payload

• Set parameters • Run exploitation

(32)

Metasploit

payload

• Bind: Sends an exploit, and makes connection to the target

• Reverse: Sends an exploit, and forces the target to connect back to the attacker

• Meterpreter: Provides a powerful command line shell that can interact with their target.

• Runs with privileges of the exploited process • A complete shell with powerful features

(33)

John The Ripper

• Password/Hash cracking

• Speed depends on algorithm

• Escalating privileges with higher accounts • Cracking

• Select hashing alg. • Select plaintext word

• Encrypt the plaintext using hashing alg. • Brute force or dictionary

• Compare generated hash with retrieved hash • If equal you have found the password

(34)

John The Ripper

• SAM password file, Windows • Cracking

• Shut down the host

• Boot into BT5 and mount local HD

• Go to the “C:/windows/sytem32/config” folder • Use Samdump2 to extract the hashes

• Samdump2 uses the file “system” to decrypt and return the password hashes

• Upload cracked file to an available location • Utilize John to crack the passwords

(35)

John The Ripper

• LM hashes(Lan Manager) • Microsoft Windows

• Utilized by SamDump2

• Not casesensitive, it converts all chars to upper case before hashing

• LM passwords is 14 chars

• if under 14 chars it is appended with NULL values

(36)

John The Ripper

• shadow password file

• Linux password hashes

• “/etc/passwd” and “/etc/shadow” • ./unshadow function extracts the hashes • Crack hashes with John

(37)

Password Resetting

• Used instead of password cracking • Sets off alarms

• People will know you where there when their password doesn’t work

• Blanks out the passwords in the password file • No restoration of original passwords

(38)

Password resetting

• Get physical access to host • Re-boot into BT5

• Mount local HDs

• Run the chntpw program in “/pentest/passwords/ chntpw”

• Follow the menu driven interface for changing a users password

• When password is cleared, reboot into original OS

(39)

Network sniffing

• Capturing and viewing packets transmitted on the network • Promiscuous mode

• The NIC must be set to promiscuous

• Accepts all packets that arrives to the NIC • Non-Promiscuous mode

• Default mode for NIC

• Passes only on traffic sent to the NIC • WLAN-sniffinge

• Monitor mode

• Captures all packets captured by the NIC • Managed mode

(40)

Macof, MAC flooding

• Switches

• Limited MAC-address storage

• Fails “open” by default when flooded • “open”: Sends the packet to everyone • “closed”: Causes DOS-attack

• macof

• Generates packets with different MAC-addresses • Floods the network

• Easily detectable

(41)

Fas-track autopown

• Nuke the hosts based on IP-address(es), built on Metasploit

• Automates the process of of finding vulnerabilities and match exploits • Should lead to multiple shells

(42)

Practice

• Set up a virtual pentest lab

• BT5, metasploitable, WinXP SP1/SP2, Linux Ubuntu 9.04/8.04, Damn Vulnerable Linux • Test the different topics discussed

• Start with a known vulnerable host to not be discouraged when trying exploitation

(43)

Chptr 5

(44)

Nikto WebSecurify Spidering: WebScarab InterceptioN: WebScarab Code Injection XSS Practice

(45)

Nikto

• Web server vulnerability scanner

• Out-of-date/missing patches and dangerous files

• Command Line tool

• Use Nikto when open ports on 80 or 443 is found

(46)

WebSecurify

• Automates web vulnerability scanning • GUI-app

(47)

Spidering: WebScarab

• WebScarab

• A modular framework and expandable with plug-ins

• A program which catalogs the target website and finds links, files, etc.

(48)

Interception: WebScarab

• Proxy server feature

• Intercept data via the proxy

• Set up WebScarab with proxy feature • Switch to Intercept tab

• All requests will be stopped before you allow them to pass

• Change its integrity or view its content between targets

(49)

Code Injection

• Many types • SQL-injection

• Inject variables which alter the original SQL-query

• Add, delete or view information in the DB • Comment signs: #,

(50)

XSS

• Injection scripts into the web-app

• Stored on the website everyone is attacked • JavaScript

• Use input fields input scripts • Forms, login, etc

(51)

Practice

• Test all softwares in described

• Download OWASPs WebGoat project

• Vulnerable web server

• Install on a virtual machine

• Command line server interface • Misconfigured and exploitable

• Access the WebGoat from browser on http://<IP>: 8080/webgoat/attack

(52)

Chptr 6

Maintaining Access with Backdoors and Rootkits

(53)

Definition NetCat CryptCat Netbus Rootkits Hacker Defender (Rootkit) Detect/Defend againsT Rootkits

(54)

Definition

• Backdoor:

• Piece of software that resides on the target host which allows the attacker to reconnect at will

(55)

NetCat

• Allows communication between hosts • listen, send, transmit files between hosts

• Can be set to listen for connection from the attacker and auto-run on boot

• Does not respond when transactions is finished • Use NetCat to interact with unknown open ports • NetCat can be binded with existing processes

(56)

CryptCat

• NetCat transmits info in clear text

• CryptCat transmits encrypted info with twofish

(57)

Netbus

• The server is installed on the target

• The client connects to the server and controls it

(58)

Rootkits

• Stealthy and wast amount of possibillities • Uploaded to system after exploitation

• Used for hiding files and programs and main backdoor accesss

(59)

hacker Defender

(rootkit)

• Three main files

• Hxdef100.exe: Runs the program on the target

• Hxdef100.ini: config file for the program by setting parameters in this file

• bdcli100.exe: Runs the program on the attackers computer

(60)

Detect/Defend against

Rootkits

• Steps

• Monitor intel put online

• Config FWall and other ACL • Patch the system

• Install and use antivirus SW • Make use of IDS

• Installing RK requires admin-privs and it will open ports • Disable admin-privs for users

• Monitor network traffic against a correct baseline • Run port scans

(61)

Practice

• Learn setting up NetCat connections between computers

• Binding to processes, and so on • Sending files

• On multiple OS-es

• Making it start on boot

(62)

Chptr 7

(63)

Report writing Exec Summary Detailed Report Raw output Next step Wrap up

(64)

Report writing

• One of the most critical tasks in Pentesting • The face of your work and reputation

• Showcase results and your talent • Good report takes practice

• Report is broken into several pieces • Makes up a complete report

• Every piece should work as a stand-alone report • Includes at minimum; Exec sum, detailed report

(65)

Report writing

• Distribute the report securely as a digital document • May require instructing the employers

• Clearly label the sections

• Front page and table of contents • Each page header and footer • Each section, part

• Emphasize the fact that the pentest was only wiable at the time of testing

• Write, check, edit, re-read and finalize the report • Sanitize tool output for comments by hackers

(66)

Exec summary

• Brief overview of the major findings in a high-level fashion • Absolute maximum size is two pages

• Only highlights of the penetration test • Exploitable vulnerabilities

• Describe how the impact affects the business functionality • Reference the technical aspects of the exploit/vulnerability • No technical details or terminology

• Written for the employers/executive officers

• Basically your grandmother should be able to understand what happened under the pentest

(67)

Detailed report

• Comprehensive list of all findings and technical details • For each finding refer to technical output

• Audience is IT-managers, sec.experts, net.admin, and other with significant tech. skills

• Used to fix the issues presented in the report

• Order vulnerabilities, descendingly, by which poses the most danger to the network/system

• Some tools provides default ranking systems

• If you have an exploited host without significant valuable data, but you’re unable to exploit a vulnerable border router.

• The border router is a far more valuable target than the host and should therefore be displayed before the exploited host

(68)

Detailed report

• Never falsify data or reuse proof-of-concepts

• Provide proof-of-concepts screenshots for exploits • Include mitigating actions addressing the issue/

vulnerability at hand

• Vital part of the report

• Helps with repeat business

• When pentest ends up with no vulns

• Raw output of tools will provide the intel of your report

(69)

Raw output

• The technical details and raw output from each of the tools used

• Problem 1: Raw output could be several hundred pages • Problem 2: Could reveal the nature of the pentest and

the trade secrets of the pentesting, especially when using custom code/tools

• Could be as simple as outputting the out from tools

• Be sure to create reference point to be used in the detailed report

• Decides wether to include the output as a stand-alone report

(70)

Next Step

• Master the basic information and techniques previously described • Move on to more advanced tasks

• Create custom tools/code and harder tasks • Learn the tools of the trade

• Join forums, groups and fellow comrades to • OWASP, BackTrack, InfraGuard

• Join security conferences • DefCon, BlackHat

• Diving into specialized areas of PenTesting

• Check out syngresses catalog of specific topics • Check out boot-camps; expensive, but worth it

• Education: NSA-accredited Center if Academic Excellence • Check out PenTesting methodologies

(71)

Other stuff

(72)

WiFi Physical pentesting Other tools Setting up pentest lab

(73)

WiFi

• Check out the “aircrack-ng” suite

• Needs the use of Atheros wifi card • Check out other tools

• Kismet, netstumbler,

(74)

Physical pentesting

• Read the book No-Tech Hacking by Johnny Long • Superb information on physical pentesting

• How to crack million dollar systems for 10$ • Lockpicking

• Check out TOOOL

• DealExtreme has cheap lockpicks and exercise material

• Spyshop.no has lockpicks too, but expensive and has the same quality

(75)

Other tools

• Wireshark

• EtterCap

• AngryIP Scanner

• Maltego

• TrueCrypt

• nMap

• BackTracker

(76)

Setting up pentest lab

• Check out the guide in

• Metasploit: The Penetration Testers

Guide

• The Basics of Hacking and

penetration testing

(77)

References

Related documents