1 / 32

B usiness of Penetration Testing

Basic Expectations and Performance. B usiness of Penetration Testing. Disclaimer. Hacking is illegal and should not be performed. This presentation does not condone or approve of hacking in any way.

annis
Télécharger la présentation

B usiness of Penetration Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Basic Expectations and Performance Business of Penetration Testing

  2. Disclaimer • Hacking is illegal and should not be performed. This presentation does not condone or approve of hacking in any way. • Penetration Testing is an agreed form of audit between two parties and should be bound in writing defining the scope and nature of what is to be audited. • This presentation is solely for academic and educational purposes only.

  3. What will be covered • Initial planning of the audit • External Scanning/Footprinting • Internal Scanning • Vulnerability Assessment • John the Ripper usage • Metasploit basics • Post-audit reporting

  4. What is Penetration Testing • Type of audit to assess security of a system • Provides feedback to the stakeholder what their security posture is like • Enumerates weaknesses and gives countermeasures/suggestions to strengthen

  5. Planning an Audit • Penetration Test may be included in a scheduled audit or independently • May be announced or unannounced • Define the scope • Decide who will perform the audit • Conflict of interest • Non-trusted party

  6. Client-side Negotiations • Ensure the scope is clearly understood by both parties • Understand what the auditors are capable of testing • Certified? • As the client negotiating, remain in control • Get bids- Gives a good comparison of prices

  7. Auditor-side Negotiations • Understand your responsibility to the client • Your access/attempted access will be privileged • Try to be as non-invasive as possible unless given permission • Sometimes a proof-of-concept is all that’s needed • The client expects a report. Ensure deliverables are agreed on

  8. Beginning the Audit • Business is at stake, know when to begin • Remember that this is an audit and that every activity must be documented • External activity is not exempt from documentation. • Keep a mindset as if you were collecting evidence • Prepare your tools • Run updates on your software • Pack extra batteries

  9. Logistical Planning • Planning is crucial for every step taken • Plan to meet • Plan for introductions • Plan for the surprise attacks • Plan for the unexpected • Plan to introduce presence to the unsuspecting • In cases of unannounced audits, special actions may need to have preparations in case caught or blown cover

  10. External Port Scanning • Port scanning from the internet is simple • Need the public IP Address for the company • Run a port scanner (NMAP) with options and discover what port are open. • If a known port is found, scripts are good at discovering the security state of that port. • Scripts that are available online can be a huge threat since anyone can use them.

  11. Email Tracing • Look at email traces. • Provides IP Addresses to mail servers • IP Addresses can lead to more destinations on the internet for scanning and profiling • Down side • IP Addresses can lead to web hosted email services • Sometimes the PTR’s can lead to a host with a robust firewall as a dead end.

  12. Web Site Profiling • Web site can give good information when looking for emails, executives, and technical staff. • Excellent for social engineering attempts. • If there are interactive web pages, further research can uncover exploitable items (XSS,web injections, or simple valid queries)

  13. Internal Testing • Depends on the scope and plan • Performing undercover scans and testing is best done before introducing to the unsuspecting. • Good time to also social engineer, test policies, and scan wireless • Test policies for information control • Use kismet or other wireless scanner

  14. Internal Testing • After presence is known, ensure the IT staff knows what type of testing will be performed, expectations of event logs, and NOT to adjust security posture during the audit.

  15. Begin Scanning • Survey the network in any case whether you know the network diagram or are blind testing • Scans include all devices on the network, their Operating System, open ports, and services running • If feasible, look for open access ports to the network in discreet areas. • Ideal for placing your own wireless access points

  16. Network Scans • Try the low hanging fruit • Check network places and shared drives for unrestricted access. • Copy machines may have onboard hard drives with file sharing • Users may know enough to be dangerous sharing folders

  17. NMAP • Network scanner • Identifies devices and Operating Systems • More quiet than pinging devices • Uses the REQ,ACK,SYN for communications • Returns open ports and has options for more stealthy operations on a sensitive network

  18. Vulnerability Scanners • Nessus • Free for personal use • Linux can use apt-get • Windows can download • Requires registration before usage • openVAS • Spin off of Nessus • http://www.openvas.org/

  19. Nessus • Enumerates vulnerabilities per device • Web GUI provides easy usage and real-time enumerations • Works with Metasploit to provide a scan and attempt at known vulnerabilities • Requires database for saving Nessus scans • Use the “Search” in Metasploit to find modules relating to scans to begin probing

  20. John the Ripper • Offline password cracker • Used on SAM dumps, LANMAN, most types of password hashes • Can also be used to generate mangled wordlists for uses with other tools. • Know the how to write rules in john.conf file • Output file can be in a txt format • Remember the john.pots file

  21. Medusa or Hydra • Online password cracking • Great for dictionary attacks (wordlists) • Best if used on known open ports • Wordlists can be found online and mangled with JTR for more complex P@55w0rds!

  22. Pointers When Using Tools • Read any precautionary comments before starting. Some exploits could cause damage to databases or resources costing your client money • Try not to use client’s network to do quick research, it could contaminate results • Advise IT staff of certain network loading tests and log expectations • Ask, when in doubt if a critical resource is discovered vulnerable, about exploiting • Proof-of-concept may be all that is needed

  23. Metasploit • Metasploit is an open source platform • supports vulnerability research • exploit development • creation of custom security tools • Included in BackTrack distributions • Recommend intense training to master • Metasploitable VM download

  24. What is Happening... • Known vulnerability occurs in victim • Related exploit is set in Metasploit • Options are configured for the victim • Payloads are viewed and selected • Payloads are what the attacker wishes to happen • Exploit occurs causing the victim process to crash • Payload is triggered

  25. Pushing Greater Limits • Metasploit offers much more than the scope of this presentation • Fuzzing protocols like IMAP and TFTP • Writing fuzzers can become the first step to creating new exploits • Good for protocols on the network that have no known module • Password sniffing on the wire • Creating backdoors to maintain access

  26. Wrapping Up The Audit • Check for any open activities • Confer with IT staff that all network activity is normal • Ensure all documentation is collected

  27. Post-Audit • Generate documentation of all work performed • Official audit report to the client • Should incorporate summaries, details, and exhibits • Include screenshots and pictures taken • Describe details of each action and what threat it presents

  28. Presentation • In most cases, a brief presentation to client and selected staff will be performed • Include most significant threats discovered and solutions • Emphasize the impact of all negative findings to the business • Include positive notes where security was solid

  29. Post-Audit Report • Audit report is a confidential document to the client • It is an official report that will be integrated into reports of other audits for that client • Use encryption if delivering by email • Exercise infosec in all cases regardless of method used for communications • Be thorough, use passive writing, use pictures

  30. In Conclusion • Instill confidence in your client and yourself • Know your capabilities and limits, personally and legally • Perform a thorough audit documenting as you go • Sharpen and research tools • Deliver solid feedback and suggestions

  31. Questions

  32. References & Research Sites • http://www.offensive-security.com/metasploit-unleashed/Main_Page • http://www.openwall.com/john/ • http://www.openwall.com/john/doc/RULES.shtml • http://thc.org/thc-hydra/ • http://www.foofus.net/~jmk/medusa/medusa.html • http://www.tenable.com/products/nessus • http://nmap.org/ • http://www.backtrack-linux.org/ • https://www.owasp.org/index.php/Main_Page

More Related