Penetration Testing Basics
•Download as PPT, PDF•
11 likes•12,766 views
A 45 minute presentation originally presented at the SANS COINS event in Regina, SK in March of 2009
![About Me Rick Wanner B.Sc. I.S.P. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Penetration Testing Basics
Similar to Penetration Testing Basics (20)
Recently uploaded
Recently uploaded (20)
Penetration Testing Basics
- 1. Penetration Testing Basics A presentation of The Internet Storm Center, The SANS Institute and The GIAC Certification Program
- 17. Reconnaissance (3) - Netcraft
- 18. Reconnaissance (4) - Netcraft
- 21. Nmap Book
- 26. Commercial Vulnerability Scanners Rapid7 NeXpose GFI LANguard eEye Retina Network
- 38. Commercial Web Scanners IBM Rational AppScan HP Webinspect Cenzic Hailstorm
- 47. Special Tuition Offer Because you attended this session, we are offering you 10% discount on tuition for our upcoming Critical infrastructure course in Calgary
- 62. Thank You! Questions: [email_address] [email_address]
Editor's Notes
- Welcome to Penetration Testing Basics presented by the SANS Institute and GIAC Certifications. Penetration Testing Basics is designed to be an informative presentation for those in IT with an interest in IT security. Security is only as good as the person implementing it, so make sure you and your team have the knowledge and expertise needed to ensure the security of your organization’s vital data and systems.
- Just me. Feel free to contact me if you have questions. I will endeavour to help.
- LiOn worm of 2001 From http://isc.sans.org/about.html ISC History and Overview The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. On March 22, 2001, intrusion detection sensors around the globe logged an increase in the number of probes to port 53 – the port that supports the Domain Name Service. Over a period of a few hours, more and more probes to port 53 were arriving - first from dozens and then from hundreds of attacking machines. Within an hour of the first report, several analysts, all of whom were fully qualified as SANS GIAC certified intrusion detection experts, agreed that a global security incident was underway. They immediately sent a notice to a global community of technically savvy security practitioners asking them to check their systems to see whether they had experienced an attack. Within three hours a system administrator in the Netherlands responded that some of his machines had been infected, and he sent the first copy of the worm code to the analysts. The analysts determined what damage the worm did and how it did it, and then they developed a computer program to determine which computers had been infected. They tested the program in multiple sites and they also let the FBI know of the attack. Just fourteen hours after the spike in port 53 traffic was first noticed, the analysts were able to send an alert to 200,000 people warning them of the attack in progress, telling them where to get the program to check their machines, and advising what to do to avoid the worm. The Li0n worm event demonstrated what the community acting together can do to respond to broad-based malicious attacks. Most importantly, it demonstrated the value of sharing intrusion detection logs in real time. Only in the regional and global aggregates was the attack obvious. The technology, people, and networks that found the Li0n worm were all part of the SANS Institute's Consensus Incident Database (CID) project that had been monitoring global Internet traffic since November 2000. CID’s contribution the night of March 22 was sufficient to earn it a new title: the SANS Internet Storm Center. Today the Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is rapidly expanding in a quest to do a better job of finding new storms faster, identifying the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. The Internet Storm Center is a free service to the Internet community. The work is supported by the SANS Institute from tuition paid by students attending SANS security education programs. Volunteer incident handlers donate their valuable time to analyze detects and anomalies, and post a daily diary of their analysis and thoughts on the Storm Center web site. Behind the Internet Storm Center The ISC relies on an all-volunteer effort to detect problems, analyze the threat, and disseminate both technical as well as procedural information to the general public. Thousands of sensors that work with most firewalls, intrusion detection systems, home broadband devices, and nearly all operating systems are constantly collecting information about unwanted traffic arriving from the Internet. These devices feed the DShield database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. The resulting analysis is posted to the ISC's main web page where it can be automatically retrieved by simple scripts or can be viewed in near real time by any Internet user. In many ways, the ISC parallels the data collection, analysis, and warning system used by weather forecasters. For example, the National Weather Service uses small sensors in as many places as possible to report pressure, wind speed, precipitation and other data electronically to regional weather stations. These local stations provide technical support to maintain the sensors, and they summarize and map the sensor data and display it for local meteorologists. They also forward the summarized data to national weather center or transnational weather analysis centers. If analysts are available to monitor the data, they can provide early warnings of storms in their areas. The national and transnational weather analysis centers summarize and map all the regional data to provide an overall picture of the weather. They monitor the data constantly looking for early evidence of major storms and can provide early warnings whenever possible. Likewise, the Internet Storm Center uses small software tools to send intrusion detection and firewall logs (after removing identifying information) to the DShield distributed intrusion detection system. The ISC's volunteer incident handlers monitor the constantly changing database to provide early warnings to the community of major new security threats. The ISC also provides feedback to participating analysis centers comparing their attack profiles to those of other centers, and provides notices to ISPs of IP addresses that are being used in widespread attacks. The ISC maintains a very popular daily diary of incident handler’s notes, and can generate custom global summary reports for any Internet user. The value of the Internet Storm Center is maximized when the sensors are collecting data on attacks touching all corners of the Internet. Because of the vastness of cyberspace it is impossible to instrument the entire Internet. Instead, samples are taken in as many diverse places as possible to create an accurate representation of current Internet activity. Many ISC users send their log data directly to the ISC databases without going through an organizational or local analysis and coordination center. Several large organizations have expressed interest in mirroring the ISC's distributed intrusion detection system, placing sensors at the edges and within their networks to provide early detection of anomalous behavior. Early Warning In addition to hundreds of users who monitor the ISC's website and provide some of the best early warnings, the ISC is supported by a core team of expert volunteer incident handlers , making it a virtual organization composed of the top tier of intrusion detection analysts from around the globe. The all-volunteer team monitors the data flowing into the database using automated analysis and graphical visualization tools and searches for activity that corresponds with broad based attacks. They report their findings to the Internet community through the ISC main web site, directly to ISPs, and via general postings and emails to newsgroups or public information sharing forums. The team determines whether a possible attack is real and whether it is worth follow-up action. If so, the team can request an immediate email to the 100,000 subscribers to the SANS Security Alert Consensus - an alerting service used primarily by very advanced security- conscious system and network administrators and analysts. The email would ask for data and code from anyone who has hard evidence of the attack. Once the attack is fully understood, the team determines the level of priority to place on the threat, whether to make a general announcement or simply post it, and whether to get core Internet backbone providers involved so they may consider cutting off traffic to and from sites that may be involved in the attacks. The ISC maintains a private web site and private reports for each reporting site. Reports include lists of the most recent attacks along with the indications of how many other sites the attackers have targeted, the severity of each attack, and background data about why attackers target specific ports. The web page helps the reporting site manage its intrusion data and keeps track of attacks. Users can show the results of submissions in a variety of formats including columnar data or pie charts. Data can also be exported in formats usable in other data visualization programs.
- Why choose SANS courses and GIAC certifications? SANS Institute is the leading training organization for system administration, audit, network, and security. GIAC (Global Information Assurance Certification) provides certification that validates the skills of security professionals.
- 1970’s – mid-80’s Digital phone switches, blue boxes - Steve Wozniak and Steve Jobs Apple founders 1980’s – birth of Arpanet, Bitnet, CANet 1988 – Morris Worm – leveraged vulnerabilites in sendmail, finger, rsh, and weak passwords 1990’s – hacker groups - The L0pht – L0pht Heavy Industries - Cult of the Dead Cow - Masters of Deception - Legion of Doom 2000 + decade of the worm Melissa, Iloveyou, witty, 2001 Summer of Hell – Blended threats - Code Red – July 13 - Code Red II – August 4 - Nimda – September 18 th – motivated by knowledge, achievement, mischevious Relatively low tech, clumsy attacks 2008 – Conficker/Downadup – data gathering - blended threat - email addresses, SSN, Credit Card #’s, Health Card numbers, accounts, passwords - phishing Cyber Threats are growing at an alarming rate. Although the internet was once a ‘safe place’ this is no longer the case (and hasn’t been for quite some time).
- The Internet is just a large community of individuals. Like any other community most people are law abiding citizens. Like any other city a small portion of the population are willing to break the law. Like any city there are good neighbourhoods and bad neighbourhoods. The difference is that good neighbourhoods and bad neighbourhoods are only separated by a maximum of 150 milliseconds. In order to protect yourself in the city you live in you put locks on your doors and windows, install alarms, don’t let people in unless you know them or think you understand their motives. But yet for some reason when we put a computer and application on the Internet we are oblivious to the risks and don’t lock the doors and windows and expect the criminals to stay out. The population of the Internet is approximately 1.5 Billion people. If even .1% of them have evil intentions that is 1.5 Million evil doers.
- Strong IT Security skills benefit everyone (except the bad guys). Being made an example of by a hacker is one of the worst things that can happen. Being owned is learning the hard way.
- Everyday your organization’s vital information systems are coming under attack. Make sure you and your team have the knowledge necessary to prevent, detect, and resolve the threats and incidents that could result in loss of money, integrity, confidentiality, and availability.
- The bad guys are checking out your network. If you’re controls are working, then it shouldn’t be a problem...should it? The goal of penetration testing is to test your security controls from an attacker’s point of view.
- This is a generalized attack methodology used by an attacker. It begins with determining as much as possible about a company by researching publicly available sources to see what they can learn, this is called reconnaissance. During the reconnaissance phase the attacker does not need to touch your network. The second phase is usually scanning. This is where the attacker starts poking at your network to see what he can see, to see what servers and apps you are showing to the world. Once he has found a potential target the attacker will attempt to exploit any potential vulnerabilities to gain a toe hold into your network. If he can gain purchase on your network he will usually try and ensure he can maintain access and get in whenever he wants through the use of backdoors, trojans, zombie processes or some other method. Then the skilled attacker will attempt to cover his tracks so you cannot detect his presence in your systems. He will endeavour to do this though modification of log files, installation of rootkits, removal of logins, and other methods.
- Penetration testing closely mirrors the attackers methodology. The goal of the penetration test is to find the weak points in your defenses, document the and hopefully fix them before an attacker can take advantage of them so the tail end of the process involves analyzing and reporting on any issues you detect.
- The preparation stage is probably the most critical. This is when you need to define the parameters of the penetration test. What machines and services are in scope and which are out of out of scope. Who will do what? Are there any machines which must be avoided at all costs? How will we measure success. How long should the Penetration Testing project take and when will the work be done? The most important consideration is documented permission. Once you have determined all the parameters of the Pen Test, summarize it in one or two pages and have it signed by someone with authority to approve it and by all means if the scope needs to expand have it resigned. Don’t skip getting permission. More than a few security people have found themselves in serious trouble for unapproved security testing.
- List scan nmap –sL <Address> nmap –sL www.telus.net/24 nmap –sL 205.206.163.16/24
- To do a basic discovery scan in nmap: nmap -top-ports 20 <address> nmap -top-ports 20 192.168.1.0/24 -F is fast scan, scans top 100 TCP and UDP ports
- Nmap –top-ports 20 –A <host> Nmap –top-ports 20 –A 192.68.1.200 -A is the equivalent of –O (OS Detection) and –sV (version and application detection) as well as Script scanning and Traceroute Top TCP 80, 23, 443, 21, 22, 25, 3389 (RDP), 110 (POP), 445, 139, 143 (IMAP) Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-30 13:21 Canada Central Standard Time Interesting ports on 192.168.1.200: PORT STATE SERVICE VERSION 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 25/tcp closed smtp 53/tcp closed domain 80/tcp open http Apache httpd 2.2.6 ((Fedora)) |_ HTML title: Rick Wanner's Web Page</title> <META NAME=&quot;description&quot; CONTE... 110/tcp closed pop3 111/tcp open rpcbind | rpcinfo: | 100000 2 111/udp rpcbind | 100024 1 834/udp status | 100000 2 111/tcp rpcbind |_ 100024 1 837/tcp status 135/tcp closed msrpc 139/tcp closed netbios-ssn 143/tcp closed imap 443/tcp open ssl/http Apache httpd 2.2.6 ((Fedora)) |_ HTML title: Rick Wanner's Web Page</title> <META NAME=&quot;description&quot; CONTE... 445/tcp closed microsoft-ds 993/tcp closed imaps 995/tcp closed pop3s 1723/tcp closed pptp 3306/tcp open mysql MySQL (unauthorized) 3389/tcp closed ms-term-serv 5900/tcp closed vnc 8080/tcp closed http-proxy MAC Address: 00:48:54:8B:EB:B0 (Unknown) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.25 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.23 seconds
- The fact is that the bad guys aren’t stupid. If anything they are getting increasingly smarter. We’ve deployed all these layers of security around our network, but we have to draw the line somewhere. You have to leave some ports opened so you can actually do business. Stretching the house analogy well beyond where we should… You’ve locked all the doors and windows, set the alarm, but the dog still needs to go in and out of the doggy door.
- From scmagazineus.com - http://www.scmagazineus.com/Yahoos-HotJobs-site-vulnerable-to-cross-site-scripting-attack/PrintArticle/120008/
- Attacks like SQL Injection truly demonstrate the need for a defense in depth strategy. Think about how web servers are set up at your organization. The system itself likely sits within the segment of a network that is Internet accessible. If you have done your due diligence, it is up to date with the most recent security patches and only HTTP (80) and HTTPS (443) ports are open through the firewall. There are many layers of defense in this typical scenario, but none of them protect your organization against SQL Injection. A typical SQL Injection attack is demonstrated in this video. It runs over ports allowed through the firewall (80, 443) into a DMZ and doesn’t attempt to exploit any weaknesses that can be fixed with an operating system or web server patch. In many occasions, the SSL communications actually make network IDS and sniffers blind to the attack since it rides an encrypted channel straight to the web server. The demonstrated attacks will be used to bypass authentication and gain access to unauthorized data. How can we protect ourselves against these attacks? As we see, typical defense in depth isn’t enough and the attacker has the advantage; this entire exploit was performed with a standard web browser. Further security must be implemented within the software development lifecycle. Application developers must perform proper validation on all incoming input to ensure malicious commands are not being executed by remote users. Additional controls, such as a web application firewall, log monitoring, and event correlation software may be implemented in addition to improved development practices. Open Web Application Security Project http://www.owasp.org/
- #./msfconsole - start Metasploit msf > use windows/dcerpc/ms03_026_dcom - the exploit to use. This is an older Windows RPC vulnerability. msf > setg PAYLOAD windows/exec - if the exploit succeeds try and execute something remotely msf > setg CMD nc –L –p 80 cmd.exe - this is the command to be executed. In this case start a netcat listener on port 80. msf > setg RHOST 192.168.0.2 - this is the host to be attacked. msf > exploit - execute the attack.
- The lessons in defense in depth, configuration management, and malicious code can all be applied to this next demonstration. An attacker performs a quick port scan of your network range and discovers a pair of Windows systems. The first system is chosen for attack, and the attacker launches the Metasploit exploitation framework. A common Windows exploit is selected and Metasploit is configured to open up a listening command shell on the vulnerable system. Once the exploit is launched, the attacker connects to the back door and issues a command. If the attacker found the listening port to be blocked by a firewall, another exploit could be used to initiate an outbound command shell effectively bypassing the controls. This attack would not be possible if proper patch management procedures were in place and followed. Many organizations have patch management solutions, but sometimes systems slide through the cracks or legacy software does not support the latest service pack leaving the entire system vulnerable. Firewalls won’t always protect systems against exploitation as some ports must remain open for functionality purposes. The ease of exploitation can be shocking if you haven’t seen this type of demonstration before. It takes little effort to perform (or even automate) this attack. This exploit was used in the Blaster worm in 2003 that infected machines all over the world. All it takes is one accessible vulnerable system or one rogue infected laptop to bring a devastating worm or exploit into your organization.
- The only commercial exploitation framework that I know of is Core Impact. As with most of these tools the big difference over the open-sourced version is the reporting capabilities, although Core is a fair bit easier to use than Metasploit.
- Think about your audience. In most cases they will be Executives who don’t give a hoot that you compromised a Solaris 8.0 box using a box cutter and two pieces of twine. What they care about is what it means to the corporation. The best type of report for this audience uses a risk based approach and describes what the root cause of the failures are and how they should be addresses. Usually it is best to write your recommendations citing standards or best practices as the basis for your recommendations. I usually like to write 2 reports in one, each two sections: Executive Summary (1 page maximum) Executive Report (3-5 pages maximum) Technical Summary (3-5 pages maximum) Detailed Technical Report ( ???? Pages)
- Why choose SANS courses and GIAC certifications? SANS Institute is the leading training organization for system, audit, network, and security. GIAC (Global Information Assurance Certification) provides certification that validates the skills of security professionals.
- Education and Community are the guiding principles of SANS and of GIAC. SANS’ goal for a number of years has been to provide the best technical training, delivered by the best instructors. In this, we have a proven track record. Many of the core SANS courses now form the basis of the GIAC certification program. In the past, our efforts have focused on “live” classroom training at conferences. While this provides an excellent educational forum, it limits us in both time (how often we can offer courses) and space (seating limitations). Another difference between SANS/GIAC and other programs is that SANS and GIAC are constantly evolving. SANS courses and GIAC objectives are not static – and therefore they don’t become dated. Information security (like technology in general) is a rapidly changing field. Our material is revised on an ongoing basis – generally, every few months. Student feedback and new technical developments lead to new consensus on best practices, which are incorporated into GIAC material through instructor revisions…and the cycle begins again. Courses are revised, exams updated to reflect new material, new practical assignments developed to build on earlier research. GIAC continues to raise the bar, setting new standards for excellence. In addition, GIAC has a very strong community focus. One of GIAC’s primary goals is to continually advance the defensive state of practice of information security. We do this not only through education, but also by sharing our research with others so that they too can continue to learn. Community consensus drives our curriculum and shapes the future direction of the program. Public disclosure on our web site – through GIAC and www.incidents.org, through consensus documents, through the research of GIAC certified professionals – provides free public information and education.
- SANS and GIAC constantly updates course and certification information to keep you on top of current threats and vulnerabilities. We use real-world, hands-on scenarios. While tools are an important part of the IT security toolbox, we teach you actual skills so you don’t have to rely on a tool. The SANS Promise - You will be able to apply our information security training the day you get back to the office.
- GIAC offers a series of certification levels to assess the different degrees of knowledge mastery a student possesses in specific subject areas. Early in 2005, GIAC announced a major shift: a written practical assignment was no longer required to obtain any GIAC Certification. All of the base GIAC certifications assess knowledge through online multiple choice exams, and they assess industry standard practices and scenario based knowledge. The current GIAC exam system assesses a wider range of material than the original written practical. Students who scored at least 70 on their exams for their certification have earned GIAC SILVER. Please note that SANS Technology Institute students must score an 80 or above to receive STI credit. Those students who have earned a GIAC certification and want to take their learning to the next level have the option to apply for GIAC Gold. GIAC Gold requires the candidate to research and write a technical report based on a specific aspect of the core certification that would benefit the info-sec community. Students attempting GIAC Gold will have an advisor to work with throughout the development of their project. The GIAC Platinum series is the top of the line certification. The platinum level requires multiple GIAC certifications in a specific discipline and involves many days of additional testing. The platinum series ensures that an individual is a true subject area expert.
- GIAC certifications verify that an individual has a working understanding of a specific Information Security discipline. GIAC certified individuals prove on a day to day basis that they can secure systems and apply the knowledge they purport to possess. Would you want someone without a drivers license behind the wheel of your new car? The more qualified security professionals there are, the better protected our Internet neighborhoods become. It is much like having more police officers watching over us, or at the very least a really strong Neighborhood Watch group. Our “neighborhood” is world wide, so we need a lot of qualified “police officers” to do the job right. Increased recognition of the importance of computer and information security in general and a growing recognition of the quality of the GIAC program have led to prominent recognition. Many large companies and government agencies (for example: State Farm, National Security Agency, Northrop Grumman, Symantec, and Department of Energy), now request or require GIAC certification for new job candidates. US Department of Defense directive 8570 is an enterprise-wide program to train, certify, and manage the DoD Information Assurance (IA) workforce, requiring technicians and managers to be trained and certified to a DoD baseline requirement. GIAC certifications serve as a bench mark for five out of the six defined job levels within the DoD 8570 program. In addition to personal benefit, a certification is also a manager’s tool. First, it is a way to verify the time and money you have invested in an employee’s education, your employee can walk away with something tangible to show for it. Second, it is a way for a new manager to know that an employee is capable because they have the credentials to show they know what they are talking about.
- This page intentionally left blank.
- GIAC has been an industry leader in information security certifications for years. The number of certifications has grown with the demands of students, new threats and new technologies. Each GIAC certification is designed to stand on its own, and represents a certified individual's mastery of a particular set of knowledge and skills. There is no particular &quot;order&quot; in which GIAC certifications must be earned; though we recommend that candidates master lower level concepts before moving on to more advanced topics.
- SANS and GIAC offer a variety of free resources readily available on the web. The Internet Storm Center or ISC, provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers Top 15 Malicious Spyware Actions - Spyware authors have ramped up their malicious code to invade users' privacy at unprecedented levels. The list on this page describes some of the most malicious activities of today's spyware, illustrating the need for solid antispyware defenses. SANS Security Policy Samples – is a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. The Internet Guide to Popular Resources on Information Security is an FAQ providing answers to common information requests about computer security and links to additional reading More FAQ’s – You will also find FAQ’s regarding intrusion detection and malware. SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. Security Tool White Papers - A collection of White Papers to help you research and find the security tools that best fit your needs. Glossary of Security Terms – A comprehensive list of terms used in computer security and intrusion detection
- Thanks for coming. We hope you have gained some valuable information from this presentation Please let us know if you have any questions about SANS training or GIAC certifications. And, do not forget to sign up for your free GIAC assessment!