Ethical Hacking and
Penetration Testing
Review of the
Chptr 2
Definition Active vs. passive Stage 1 Stage 2 Active tools Passive tools DNS E-mail server Social Engineering Practicing reconnaissance
Definition
• Recconoissance
• Information Gathering
• Must be equal parts; Hacker, Social Engineer and Private Investigator
Active vs. passive
• Active rec. interacts with the target • Passive does not
• Use search engine, cached sites, phone
books, written material, public info on the web, etc.
• Be careful of the tools you use
Stage 1
• Search public information • Goal 1: Gather intel
• Goal 2: Sort and analyze the intel • ID services in the network
• Generate list of attackable IPs • ID personell/Employees
• Phone, Email, Soc.Med., tax records • ID physical layout
Stage 1
• Locate targets website(“active”) • Review closely
• HTTrack the site for offline viewing • Higly active interaction with target
• Look for; location, phone, email, srvices, hours of operation, business relation, employees,
Soc.Med, news, RSS-feed, job listing
Stage 1
• Passive rec. of target in search engine • Check out cached websites
• Find old, discarded and erased information
• Reduce footprints
• Passive as long as you don’t click on the links • Follow strategic key personell on Soc.Med.
Stage 2
• Review the recovered intel • Create
• Separate lists of all IP-addresses, e-mails, host names, and URLs
• Separate list of employees and information • Separate list of services running on the
Active Tools
• HTTrack: mirror site
• nslookup: queries DNS-servers for stored IP/ host mappings
• dig: Easy to perform a DNS zone transfer
• MetaGooFil: extract metadata from files, could be used for offline scanning too
Passive tools
• Search Engines: google, yahoo
• theHarvester: use search engines and to gather email, subdomains and user names
• Whois: gqet IP-address, hostnames og DNS, contact info. Check out the info in the referred URL.
• netCraft: Searches it’s stored information for info. on a URL.
• host: translate host-name to IP-address and vice versa
DNS
• Like finding a bluebprint to the system • Enumerate all IP-addresses
• DNS servers function for syncing is a zone transfer. DNS sends all host/IP mappings to another server.
E-mail server
• Contains significant pieces of information • Send a mail which will be rejected and
examine the corresponding
• Internet Header gives: IP-address, software vers. and brand of e-mail server
• The returned message gives: Antivirus used to scan the mail
Social Engineering
• Make people reveal information “willingly” • Physical contact, phishing, social interaction,
Practicing
recconnaissance
• Find a newspaper and choose an unknown corporate initiative
• Start performin PASSIVE recconnaissance • Use search engines
• Try SEAT(Search Engine Assessment Tool) • Try Google Hacking Database
Chptr 3
Overview Stage 1 Stage 2 Stage 3 Ping And Ping Sweeps Port Scanning Vulnerability Scanning Practising Port Scanning
Stages of scanning
• Stage 1:• Determine if the system is alive • Poor reliability
• Stage 2:
• Port/service scan the system
• Find open/vulnerable services and ports on the system • Stage 3:
• Scan the system for vulnerabilities • ID vulnerable services and hosts
Stage 1
• Determine if the system is turned on • Determine if the system is capable of
communication with our host
Stage 2
• Port scanning
• Ports are a way for services to communicate with HW
• Scan the host list for ports • ID running services
Stage 3
• Vulnerability scanning
• Locate and ID known vulnerabilities in the services running on a target machine
• Begin by scanning the perimiter devices
• The intel gathered is from perimiter hosts • Not allways possible to gain internal access
• Conquer a perimiter device, then jump to internal host
Ping and Ping Sweep
• Ping
• ICMP Echo packet
• Tells if the host is up and running, may not reply anyway
• Ping sweep
• Automatic sending ICMP echo packets to a range of hosts to see which is up
Port Scanning
• ID which ports and services is available • Port range: 0 - 65.535, either TCP or UDP • Determine purpose of the host
• Creates a packet and send it to the hosts port
• Different type of port scans can produce different results • nMap or its GUI, “zenMap”
• -sT TCP scan: Completes the TCP hanshake
• -sS SYN scan: Faster only completes 2/3 of the TCP handshake • -sU UDP scan: Send a UDP packet to the host, slow but needed • Xmas scan: Scans for RFC-documented vulnereabilities and
loopholes
Vulnerability scanning
• Scan hosts for vulnerabilities on dedicated ports
• Nessus
Practicing
port scanning
• Set up a virtual machine network
• One BT5 and one Damn Vulnerable Linux, WinXP SP2/SP1 without upgrades
• Work through the scanning techniques in the book
• Work through the vulnerability scanning • Try other tools for port scanning and
Chptr 4
Definition Medusa Metasploit John The Ripper Password resetting Network sniffing macof; MAC flooding Fast-track autopawn Practice
Definition
• Process of gaining control over a system
• You need to expand the knowledge of systems and exploits when you’re becoming more
experienced
Medusa
• Pay attention to remote access
• SSH, Telnet, FTP, PC Anywhere, VNC
• Brute force uname/passwd gathered from recon • Medusa and Hydra; learn Hydra too
• Medusa
• Parallell brute force
• Cracks login of remote services: AFP, FTP, HTTP, IMAP, MySQL, POP3, SMTP-AUTH, SNMP, SSHv2, Telnet, VNC, Web Forum, and more
Metasploit
• Based on an exploit framework
• Structured to develop and launch exploits • Exploits: Functions to exploit vulns.
• Payloads: Tasks to do upon a successfull exploit
• General use
• Decide target -> Select exploit -> Choose payload -> Exploit
Metasploit
• Select target based on Nessus output
• Search metasploit for specific vulnerabilities
• Select corresponding exploit with high rank/dependability • Set parameters for exploits
• View payloads • Select payload
• Set parameters • Run exploitation
Metasploit
payload
• Bind: Sends an exploit, and makes connection to the target
• Reverse: Sends an exploit, and forces the target to connect back to the attacker
• Meterpreter: Provides a powerful command line shell that can interact with their target.
• Runs with privileges of the exploited process • A complete shell with powerful features
John The Ripper
• Password/Hash cracking
• Speed depends on algorithm
• Escalating privileges with higher accounts • Cracking
• Select hashing alg. • Select plaintext word
• Encrypt the plaintext using hashing alg. • Brute force or dictionary
• Compare generated hash with retrieved hash • If equal you have found the password
John The Ripper
• SAM password file, Windows • Cracking
• Shut down the host
• Boot into BT5 and mount local HD
• Go to the “C:/windows/sytem32/config” folder • Use Samdump2 to extract the hashes
• Samdump2 uses the file “system” to decrypt and return the password hashes
• Upload cracked file to an available location • Utilize John to crack the passwords
John The Ripper
• LM hashes(Lan Manager) • Microsoft Windows
• Utilized by SamDump2
• Not casesensitive, it converts all chars to upper case before hashing
• LM passwords is 14 chars
• if under 14 chars it is appended with NULL values
John The Ripper
• shadow password file
• Linux password hashes
• “/etc/passwd” and “/etc/shadow” • ./unshadow function extracts the hashes • Crack hashes with John
Password Resetting
• Used instead of password cracking • Sets off alarms
• People will know you where there when their password doesn’t work
• Blanks out the passwords in the password file • No restoration of original passwords
Password resetting
• Get physical access to host • Re-boot into BT5
• Mount local HDs
• Run the chntpw program in “/pentest/passwords/ chntpw”
• Follow the menu driven interface for changing a users password
• When password is cleared, reboot into original OS
Network sniffing
• Capturing and viewing packets transmitted on the network • Promiscuous mode
• The NIC must be set to promiscuous
• Accepts all packets that arrives to the NIC • Non-Promiscuous mode
• Default mode for NIC
• Passes only on traffic sent to the NIC • WLAN-sniffinge
• Monitor mode
• Captures all packets captured by the NIC • Managed mode
Macof, MAC flooding
• Switches
• Limited MAC-address storage
• Fails “open” by default when flooded • “open”: Sends the packet to everyone • “closed”: Causes DOS-attack
• macof
• Generates packets with different MAC-addresses • Floods the network
• Easily detectable
Fas-track autopown
• Nuke the hosts based on IP-address(es), built on Metasploit
• Automates the process of of finding vulnerabilities and match exploits • Should lead to multiple shells
Practice
• Set up a virtual pentest lab
• BT5, metasploitable, WinXP SP1/SP2, Linux Ubuntu 9.04/8.04, Damn Vulnerable Linux • Test the different topics discussed
• Start with a known vulnerable host to not be discouraged when trying exploitation
Chptr 5
Nikto WebSecurify Spidering: WebScarab InterceptioN: WebScarab Code Injection XSS Practice
Nikto
• Web server vulnerability scanner
• Out-of-date/missing patches and dangerous files
• Command Line tool
• Use Nikto when open ports on 80 or 443 is found
WebSecurify
• Automates web vulnerability scanning • GUI-app
Spidering: WebScarab
• WebScarab
• A modular framework and expandable with plug-ins
• A program which catalogs the target website and finds links, files, etc.
Interception: WebScarab
• Proxy server feature
• Intercept data via the proxy
• Set up WebScarab with proxy feature • Switch to Intercept tab
• All requests will be stopped before you allow them to pass
• Change its integrity or view its content between targets
Code Injection
• Many types • SQL-injection
• Inject variables which alter the original SQL-query
• Add, delete or view information in the DB • Comment signs: #,
XSS
• Injection scripts into the web-app
• Stored on the website everyone is attacked • JavaScript
• Use input fields input scripts • Forms, login, etc
Practice
• Test all softwares in described
• Download OWASPs WebGoat project
• Vulnerable web server
• Install on a virtual machine
• Command line server interface • Misconfigured and exploitable
• Access the WebGoat from browser on http://<IP>: 8080/webgoat/attack
Chptr 6
Maintaining Access with Backdoors and Rootkits
Definition NetCat CryptCat Netbus Rootkits Hacker Defender (Rootkit) Detect/Defend againsT Rootkits
Definition
• Backdoor:
• Piece of software that resides on the target host which allows the attacker to reconnect at will
NetCat
• Allows communication between hosts • listen, send, transmit files between hosts
• Can be set to listen for connection from the attacker and auto-run on boot
• Does not respond when transactions is finished • Use NetCat to interact with unknown open ports • NetCat can be binded with existing processes
CryptCat
• NetCat transmits info in clear text
• CryptCat transmits encrypted info with twofish
Netbus
• The server is installed on the target
• The client connects to the server and controls it
Rootkits
• Stealthy and wast amount of possibillities • Uploaded to system after exploitation
• Used for hiding files and programs and main backdoor accesss
hacker Defender
(rootkit)
• Three main files
• Hxdef100.exe: Runs the program on the target
• Hxdef100.ini: config file for the program by setting parameters in this file
• bdcli100.exe: Runs the program on the attackers computer
Detect/Defend against
Rootkits
• Steps
• Monitor intel put online
• Config FWall and other ACL • Patch the system
• Install and use antivirus SW • Make use of IDS
• Installing RK requires admin-privs and it will open ports • Disable admin-privs for users
• Monitor network traffic against a correct baseline • Run port scans
Practice
• Learn setting up NetCat connections between computers
• Binding to processes, and so on • Sending files
• On multiple OS-es
• Making it start on boot
Chptr 7
Report writing Exec Summary Detailed Report Raw output Next step Wrap up
Report writing
• One of the most critical tasks in Pentesting • The face of your work and reputation
• Showcase results and your talent • Good report takes practice
• Report is broken into several pieces • Makes up a complete report
• Every piece should work as a stand-alone report • Includes at minimum; Exec sum, detailed report
Report writing
• Distribute the report securely as a digital document • May require instructing the employers
• Clearly label the sections
• Front page and table of contents • Each page header and footer • Each section, part
• Emphasize the fact that the pentest was only wiable at the time of testing
• Write, check, edit, re-read and finalize the report • Sanitize tool output for comments by hackers
Exec summary
• Brief overview of the major findings in a high-level fashion • Absolute maximum size is two pages
• Only highlights of the penetration test • Exploitable vulnerabilities
• Describe how the impact affects the business functionality • Reference the technical aspects of the exploit/vulnerability • No technical details or terminology
• Written for the employers/executive officers
• Basically your grandmother should be able to understand what happened under the pentest
Detailed report
• Comprehensive list of all findings and technical details • For each finding refer to technical output
• Audience is IT-managers, sec.experts, net.admin, and other with significant tech. skills
• Used to fix the issues presented in the report
• Order vulnerabilities, descendingly, by which poses the most danger to the network/system
• Some tools provides default ranking systems
• If you have an exploited host without significant valuable data, but you’re unable to exploit a vulnerable border router.
• The border router is a far more valuable target than the host and should therefore be displayed before the exploited host
Detailed report
• Never falsify data or reuse proof-of-concepts
• Provide proof-of-concepts screenshots for exploits • Include mitigating actions addressing the issue/
vulnerability at hand
• Vital part of the report
• Helps with repeat business
• When pentest ends up with no vulns
• Raw output of tools will provide the intel of your report
Raw output
• The technical details and raw output from each of the tools used
• Problem 1: Raw output could be several hundred pages • Problem 2: Could reveal the nature of the pentest and
the trade secrets of the pentesting, especially when using custom code/tools
• Could be as simple as outputting the out from tools
• Be sure to create reference point to be used in the detailed report
• Decides wether to include the output as a stand-alone report
Next Step
• Master the basic information and techniques previously described • Move on to more advanced tasks
• Create custom tools/code and harder tasks • Learn the tools of the trade
• Join forums, groups and fellow comrades to • OWASP, BackTrack, InfraGuard
• Join security conferences • DefCon, BlackHat
• Diving into specialized areas of PenTesting
• Check out syngresses catalog of specific topics • Check out boot-camps; expensive, but worth it
• Education: NSA-accredited Center if Academic Excellence • Check out PenTesting methodologies
Other stuff
WiFi Physical pentesting Other tools Setting up pentest lab
WiFi
• Check out the “aircrack-ng” suite
• Needs the use of Atheros wifi card • Check out other tools
• Kismet, netstumbler,
Physical pentesting
• Read the book No-Tech Hacking by Johnny Long • Superb information on physical pentesting
• How to crack million dollar systems for 10$ • Lockpicking
• Check out TOOOL
• DealExtreme has cheap lockpicks and exercise material
• Spyshop.no has lockpicks too, but expensive and has the same quality