Business of Penetration Testing

Basic Expectations and Performance

Disclaimer

Hacking is illegal and should not be performed. This presentation does not condone or approve of hacking in any way.

Penetration Testing is an agreed form of audit between two parties and should be bound in writing defining the scope and nature of what is to be audited.

This presentation is solely for academic and educational purposes only.

What will be covered

Initial planning of the audit External Scanning/Footprinting Internal Scanning Vulnerability Assessment John the Ripper usage Metasploit basics Post-audit reporting

What is Penetration Testing

Type of audit to assess security of a system

Provides feedback to the stakeholder what their security posture is like

Enumerates weaknesses and gives countermeasures/suggestions to strengthen

Planning an Audit

Penetration Test may be included in a scheduled audit or independently

May be announced or unannounced Define the scope Decide who will perform the audit

▪ Conflict of interest▪ Non-trusted party

Client-side Negotiations

Ensure the scope is clearly understood by both parties

Understand what the auditors are capable of testing Certified?

As the client negotiating, remain in control

Get bids- Gives a good comparison of prices

Auditor-side Negotiations

Understand your responsibility to the client

Your access/attempted access will be privileged

Try to be as non-invasive as possible unless given permission Sometimes a proof-of-concept is all

that’s needed The client expects a report. Ensure

deliverables are agreed on

Beginning the Audit

Business is at stake, know when to begin Remember that this is an audit and that

every activity must be documented External activity is not exempt from

documentation. Keep a mindset as if you were collecting

evidence Prepare your tools▪ Run updates on your software▪ Pack extra batteries

Logistical Planning

Planning is crucial for every step taken Plan to meet Plan for introductions Plan for the surprise attacks Plan for the unexpected

Plan to introduce presence to the unsuspecting▪ In cases of unannounced audits, special actions

may need to have preparations in case caught or blown cover

External Port Scanning

Port scanning from the internet is simple Need the public IP Address for the

company Run a port scanner (NMAP) with options

and discover what port are open. If a known port is found, scripts are

good at discovering the security state of that port. Scripts that are available online can be a

huge threat since anyone can use them.

Email Tracing

Look at email traces. Provides IP Addresses to mail servers IP Addresses can lead to more

destinations on the internet for scanning and profiling

Down side IP Addresses can lead to web hosted

email services Sometimes the PTR’s can lead to a host

with a robust firewall as a dead end.

Web Site Profiling

Web site can give good information when looking for emails, executives, and technical staff.

Excellent for social engineering attempts.

If there are interactive web pages, further research can uncover exploitable items (XSS,web injections, or simple valid queries)

Internal Testing

Depends on the scope and plan Performing undercover scans and

testing is best done before introducing to the unsuspecting.

Good time to also social engineer, test policies, and scan wireless Test policies for information control Use kismet or other wireless scanner

Internal Testing

After presence is known, ensure the IT staff knows what type of testing will be performed, expectations of event logs, and NOT to adjust security posture during the audit.

Begin Scanning

Survey the network in any case whether you know the network diagram or are blind testing

Scans include all devices on the network, their Operating System, open ports, and services running

If feasible, look for open access ports to the network in discreet areas. Ideal for placing your own wireless

access points

Network Scans

Try the low hanging fruit Check network places and shared drives

for unrestricted access.▪ Copy machines may have onboard hard

drives with file sharing▪ Users may know enough to be dangerous

sharing folders

NMAP

Network scanner Identifies devices and Operating

Systems More quiet than pinging devices Uses the REQ,ACK,SYN for

communications Returns open ports and has options

for more stealthy operations on a sensitive network

Vulnerability Scanners

Nessus Free for personal use Linux can use apt-get Windows can download Requires registration before usage

openVAS Spin off of Nessus http://www.openvas.org/

Nessus

Enumerates vulnerabilities per device Web GUI provides easy usage and real-

time enumerations Works with Metasploit to provide a scan

and attempt at known vulnerabilities Requires database for saving Nessus scans

Use the “Search” in Metasploit to find modules relating to scans to begin probing

John the Ripper

Offline password cracker Used on SAM dumps, LANMAN, most

types of password hashes Can also be used to generate mangled

wordlists for uses with other tools. Know the how to write rules in john.conf

file Output file can be in a txt format Remember the john.pots file

Medusa or Hydra

Online password cracking Great for dictionary attacks

(wordlists) Best if used on known open ports Wordlists can be found online and

mangled with JTR for more complex P@55w0rds!

Pointers When Using Tools Read any precautionary comments before

starting. Some exploits could cause damage to databases or resources costing your client money

Try not to use client’s network to do quick research, it could contaminate results

Advise IT staff of certain network loading tests and log expectations

Ask, when in doubt if a critical resource is discovered vulnerable, about exploiting

Proof-of-concept may be all that is needed

Metasploit

Metasploit is an open source platform supports vulnerability research exploit development creation of custom security tools

Included in BackTrack distributions Recommend intense training to

master Metasploitable VM download

What is Happening...

Known vulnerability occurs in victim Related exploit is set in Metasploit Options are configured for the victim Payloads are viewed and selected

Payloads are what the attacker wishes to happen

Exploit occurs causing the victim process to crash

Payload is triggered

Pushing Greater Limits

Metasploit offers much more than the scope of this presentation Fuzzing protocols like IMAP and TFTP▪ Writing fuzzers can become the first step to

creating new exploits▪ Good for protocols on the network that have

no known module Password sniffing on the wire Creating backdoors to maintain access

Wrapping Up The Audit

Check for any open activities Confer with IT staff that all network

activity is normal Ensure all documentation is collected

Post-Audit

Generate documentation of all work performed Official audit report to the client Should incorporate summaries, details,

and exhibits Include screenshots and pictures taken Describe details of each action and what

threat it presents

Presentation

In most cases, a brief presentation to client and selected staff will be performed Include most significant threats

discovered and solutions Emphasize the impact of all negative

findings to the business Include positive notes where security

was solid

Post-Audit Report

Audit report is a confidential document to the client

It is an official report that will be integrated into reports of other audits for that client

Use encryption if delivering by email Exercise infosec in all cases regardless

of method used for communications Be thorough, use passive writing, use

pictures

In Conclusion

Instill confidence in your client and yourself

Know your capabilities and limits, personally and legally

Perform a thorough audit documenting as you go

Sharpen and research tools Deliver solid feedback and

suggestions

Questions

References & Research Sites

http://www.offensive-security.com/metasploit-unleashed/Main_Page

http://www.openwall.com/john/ http://www.openwall.com/john/doc/R

ULES.shtml http://thc.org/thc-hydra/ http://www.foofus.net/~jmk/medusa/

medusa.html http://www.tenable.com/products/ne

ssus http://nmap.org/ http://www.backtrack-linux.org/ https://www.owasp.org/index.php/Ma

in_Page