Penetration Testing What is Penetration Testing? AKA “Pentesting” An attack on a computer system with the intention of finding security weaknesses. Performed by sysadmins or trusted agents. How is this different from hacking? “Black-hat hackers” violate computer security for maliciousness or personal gain. “White-hat hackers” break security for non-malicious purposes, usually when performing authorized security tests. “Grey-hat hackers” rationalize that they are acting moral when they are not. e.g.: Breaking into systems for fun, then emailing the sysadmin to tell them about the security hole. What are the goals of Pentesting? Discover network or application vulnerabilities. Determine feasibility of particular set of attack vectors. Assess the magnitude of business& operational impacts of a successful attack. Test capability of network defenses. Successful attacks against gov’t computers, as reported to CERT* *US-Computer Emergency Response Team Attempted attacks Pentagon: 10,000,000 attempts each day Nat’l Nuclear Security Agency: 10,000,000/day From the same document... Michigan: 120,000 attacher per day U.K. 120,000 attacks per day Utah: 20,000,000 attacks each day Multiple definitions of attack & attempt? Do not blindly believe any numbers you read. 5 Phases of a network attack 1. Reconnaissance 2. Scanning 3. Penetration 4. Covering Tracks 5. Maintaining Access Pentesting generally focuses on Steps 1-3 Reconnaissance Collecting data on the target passively. Multiple interpretations: 1. sending no electrons to the target network, or 2. only sending electrons through means that are normally authorized, such as reading the public website. Common means: Google whois Reconnaissance nslookup www.usna.edu IP address Server name http://www.whois.net, search for usna.edu Physical address Name of sysadmins (people with root access) Names/IP of DNS servers Reconnaissance nslookup www.usna.edu IP address Server name http://www.whois.net, search for usna.edu Physical address Name of sysadmins (people with root access) Names/IP of DNS servers Reconnaissance Google for URL prefixes (different servers) site:usna.edu site:usna.edu –www.usna.edu site:usna.edu –www.usna.edu –libguides.usna.edu ... Run nslookup to find name/IP of each server nslookup libguides.usna.edu nslookup aisweb.usna.edu Reconnaissance URL IP Server Name www.usna.edu 136.160.88.139 webster-new.dmz.usna.edu libguides.usna.edu 174.132.16.38 libguides.com aisweb.usna.edu 136.160.88.133 aeisenhower.dmz.usna.edu library.usna.edu 136.160.88.140 library.usna.edu lists.usna.edu 136.160.89.10 lists.usna.edu … Exercise: In 10 minutes, find out as much as you can about the USMA network. Scanning Collecting data on the target by sending packets at it. Find existence of hosts at IP addresses. Find open ports on hosts. Detemine versions of services on hosts. Determine OS of host. Tends to be “noisy” (lots of packets) May be construed as an attack. Never do this without written permission. Scanning nmap is the #1 scanning tool “Network Mapper” 1. Host Discovery nmap –sn 10.10.1.0/24 # Determine which IPs are online Exercise: what messages does nmap send for this command? arp, TCP SYN to ports 80, 443, 53 nmap –sL 10.10.1.0/24 # List IPs only Exercise: what messages does nmap send for this command? None Scanning 1. Host Discovery (cont) – using extra ports in scan: nmap –sn –PS22-25 10.10.1.0/24 # TCP SYN Ping Exercise: what mechanism does nmap use for this command? arp, TCP to ports 22-25 Scanning 2. Enumerate Open Ports: # List of ports & protocols by usage less /usr/share/nmap/nmap-service # Selects only the 5 top ports from this file nmap –-top-ports 5 10.10.1.10 # TCP SYN Scan (default, same as –sS) # SYN only, never sends ACK or reset. # Stealthy, since not logged, but can consume target’s resources. nmap 10.10.1.10 Scanning 2. Enumerate Open Ports (cont): nmap –sT 10.10.1.10 # TCP Connect Scan # SYN/SYN-ACK/ACK-Reset # Gets logged, less likely to crash target server. # TCP ACK Scan # Send ACK to a host we are not talking to. # Host may reply by sending a Reset to indicate there is no connection. nmap –sA 10.10.1.10 Scanning 3. Version detection: nmap –sV 10.10.1.10 4. # Enables service versioning OS detection: nmap –O 10.10.1.10 # Enables OS detection nmap –O –-osscan-guess 10.10.1.10 nmap –O –-fuzzy 10.10.1.10 Pentest admin Signed agreement. “Get out of jail free card.” Never send any electrons to the target network without one Scope – range if IPs, type of tests, etc. Damage control Indemnification In-house vs. Outsourced Trust? Can a sysadmin reasonably pentest their own network?