Basic Expectations and Performance Hacking is illegal and should not be performed. This presentation does not condone or approve of hacking in any way. Penetration Testing is an agreed form of audit between two parties and should be bound in writing defining the scope and nature of what is to be audited. This presentation is solely for academic and educational purposes only. Initial planning of the audit External Scanning/Footprinting Internal Scanning Vulnerability Assessment John the Ripper usage Metasploit basics Post-audit reporting Type of audit to assess security of a system Provides feedback to the stakeholder what their security posture is like Enumerates weaknesses and gives countermeasures/suggestions to strengthen Penetration Test may be included in a scheduled audit or independently May be announced or unannounced Define the scope Decide who will perform the audit ▪ Conflict of interest ▪ Non-trusted party Ensure the scope is clearly understood by both parties Understand what the auditors are capable of testing Certified? As the client negotiating, remain in control Get bids- Gives a good comparison of prices Understand your responsibility to the client Your access/attempted access will be privileged Try to be as non-invasive as possible unless given permission Sometimes a proof-of-concept is all that’s needed The client expects a report. Ensure deliverables are agreed on Business is at stake, know when to begin Remember that this is an audit and that every activity must be documented External activity is not exempt from documentation. Keep a mindset as if you were collecting evidence Prepare your tools ▪ Run updates on your software ▪ Pack extra batteries Planning is crucial for every step taken Plan to meet Plan for introductions Plan for the surprise attacks Plan for the unexpected Plan to introduce presence to the unsuspecting ▪ In cases of unannounced audits, special actions may need to have preparations in case caught or blown cover Port scanning from the internet is simple Need the public IP Address for the company Run a port scanner (NMAP) with options and discover what port are open. If a known port is found, scripts are good at discovering the security state of that port. Scripts that are available online can be a huge threat since anyone can use them. Look at email traces. Provides IP Addresses to mail servers IP Addresses can lead to more destinations on the internet for scanning and profiling Down side IP Addresses can lead to web hosted email services Sometimes the PTR’s can lead to a host with a robust firewall as a dead end. Web site can give good information when looking for emails, executives, and technical staff. Excellent for social engineering attempts. If there are interactive web pages, further research can uncover exploitable items (XSS,web injections, or simple valid queries) Depends on the scope and plan Performing undercover scans and testing is best done before introducing to the unsuspecting. Good time to also social engineer, test policies, and scan wireless Test policies for information control Use kismet or other wireless scanner After presence is known, ensure the IT staff knows what type of testing will be performed, expectations of event logs, and NOT to adjust security posture during the audit. Survey the network in any case whether you know the network diagram or are blind testing Scans include all devices on the network, their Operating System, open ports, and services running If feasible, look for open access ports to the network in discreet areas. Ideal for placing your own wireless access points Try the low hanging fruit Check network places and shared drives for unrestricted access. ▪ Copy machines may have onboard hard drives with file sharing ▪ Users may know enough to be dangerous sharing folders Network scanner Identifies devices and Operating Systems More quiet than pinging devices Uses the REQ,ACK,SYN for communications Returns open ports and has options for more stealthy operations on a sensitive network Nessus Free for personal use Linux can use apt-get Windows can download Requires registration before usage openVAS Spin off of Nessus http://www.openvas.org/ Enumerates vulnerabilities per device Web GUI provides easy usage and real-time enumerations Works with Metasploit to provide a scan and attempt at known vulnerabilities Requires database for saving Nessus scans Use the “Search” in Metasploit to find modules relating to scans to begin probing Offline password cracker Used on SAM dumps, LANMAN, most types of password hashes Can also be used to generate mangled wordlists for uses with other tools. Know the how to write rules in john.conf file Output file can be in a txt format Remember the john.pots file Online password cracking Great for dictionary attacks (wordlists) Best if used on known open ports Wordlists can be found online and mangled with JTR for more complex P@55w0rds! Read any precautionary comments before starting. Some exploits could cause damage to databases or resources costing your client money Try not to use client’s network to do quick research, it could contaminate results Advise IT staff of certain network loading tests and log expectations Ask, when in doubt if a critical resource is discovered vulnerable, about exploiting Proof-of-concept may be all that is needed Metasploit is an open source platform supports vulnerability research exploit development creation of custom security tools Included in BackTrack distributions Recommend intense training to master Metasploitable VM download Known vulnerability occurs in victim Related exploit is set in Metasploit Options are configured for the victim Payloads are viewed and selected Payloads are what the attacker wishes to happen Exploit occurs causing the victim process to crash Payload is triggered Metasploit offers much more than the scope of this presentation Fuzzing protocols like IMAP and TFTP ▪ Writing fuzzers can become the first step to creating new exploits ▪ Good for protocols on the network that have no known module Password sniffing on the wire Creating backdoors to maintain access Check for any open activities Confer with IT staff that all network activity is normal Ensure all documentation is collected Generate documentation of all work performed Official audit report to the client Should incorporate summaries, details, and exhibits Include screenshots and pictures taken Describe details of each action and what threat it presents In most cases, a brief presentation to client and selected staff will be performed Include most significant threats discovered and solutions Emphasize the impact of all negative findings to the business Include positive notes where security was solid Audit report is a confidential document to the client It is an official report that will be integrated into reports of other audits for that client Use encryption if delivering by email Exercise infosec in all cases regardless of method used for communications Be thorough, use passive writing, use pictures Instill confidence in your client and yourself Know your capabilities and limits, personally and legally Perform a thorough audit documenting as you go Sharpen and research tools Deliver solid feedback and suggestions http://www.offensive-security.com/metasploitunleashed/Main_Page http://www.openwall.com/john/ http://www.openwall.com/john/doc/RULES.sht ml http://thc.org/thc-hydra/ http://www.foofus.net/~jmk/medusa/medusa.ht ml http://www.tenable.com/products/nessus http://nmap.org/ http://www.backtrack-linux.org/ https://www.owasp.org/index.php/Main_Page