1

Security Penetration Testing

Angela DavisMrinmoy Ghosh

ECE4112 – Internetwork SecurityGeorgia Institute of Technology

2

Agenda

• Introduction to penetration testing• Lab scenario• Lab setup• New Additions• Conclusions

3

Penetration Testing

• Actively assess network security measures

• Possibly reduce costs by uncovering vulnerabilities before suffering consequences.

• Black Box Vs White Box• External Vs Internal

4

Lab Scenario

Mission:You have been hired by Acme & Burdell to attempt to break into their network.

Acme & Burdell has allowed you to break into their network throughout dead week. However, the network admins at Acme & Burdell cannot agree on a single setup for their network. Thus they change their network setup every two days. If you want to break in, you’ll have do it within a couple of days. Are you ready?

5

6

Steps Involved

• Reconnaissance (Find the target IP address)

• Vulnerability Scanning• Choosing a target and getting in• Maintaining Access (Look for

Backdoors)• Cracking Passwords• Alternate ways to get in

7

Reconnaissance

• You are given the web address:www.acmeandburdell.com

• Find the IP address of the web address

• Use the tools from the course to find more about the A&B network

8

Vulnerability Scanning

• Use your favorite network scanner(s) to scan the IP address range for potential holes

• Document the services running and look for suspicious ports

9

• Based on the results of scanning choose a vulnerable target

Be sure to do a full port range scan on the target

machine. “Nmap” only reports known services by default.

• Choose a attack to execute on the targetThe network scan may not give complete

information about how you may attack. You may have to try different attacks learned in class before you succeed. Be creative and reference previous labs for hints!

Choosing a Target and an Attack

10

• If you got in, you should assume that someone else may have done so before. What might they have left behind?

• Use what you know about the target OS to look for other ways of getting in. Your client needs to know!

Maintaining Access (Look for Backdoors)

11

Cracking Passwords• If you broke into a Linux machine, get the password

file and try to crack as many passwords as you can.

• If you broke into a windows machine, you will find a previous hacker has installed a password dump program called “pwdump2” in C:\Windows\System32\Pwdump2\ Use pwdump2 to dump the password to a file Crack as many passwords as you can

• Get info about pwdump2 at: http://www.securiteam.com/tools/5ZQ0G000FU.ht

ml

• Do the passwords give you more ways to gain access to the system?

12

Alternate Ways of Getting in

• Each vulnerable machine is set up to allow multiple ways for getting in. You will get full credit (8 points)if you discover all of them and document your findings thoroughly.

• In addition to the normal means of getting extra credit, you will get extra credit if you discover ways of getting in which were not part of the lab setup, OR if you get in a machine you were not expected to, OR if your summary recommendations for the client include something we didn’t think of.

13

Lab Setup

• Dynamic Setup changing every couple of days. You have to choose a slot of two days to complete the lab. Slots are: Tue-Wed, Thurs-Fri, Sat-Sun,

Mon-Tue

• Multiple vulnerabilities (At least 2) of varying difficulty

14

Lab Setup

• Four Virtual Machines with different vulnerabilities.

• Only one will be running at any one time.

• The TA’s would choose a different virtual machine to run every couple of days

• Two Decoy machines acting as honeypots, would always run to make things interesting

15

Lab Setup

• VM1: OS: Red Hat 7.2 IMAP-d exploit enabled Remote Vulnerable program running on

a random port LRK4 rootkit installed, but telnet closed Two users, one with easy password One of the passwords may be used to

open a VNC session

16

Lab Setup

• VM2: OS: Redhat 7.2 ICMP Server exploit enabled Remote Vulnerable program running on

a random port LRK4 rootkit installed, but telnet closed Two users, one with easy password One of the passwords may be used to

open a VNC session

17

Lab Setup

• VM3: OS: Windows XP (No Security patch) DCOM exploit enabled Netcat backdoor running “pwdump2” kept at a known place VNC session that may be opened by

cracking one of the passwords

18

Lab Setup

• VM4:• OS: Win XP with Security patch • B02k (Running on default port 18006)• Netcat backdoor running• “pwdump2” kept at a known place• VNC session that may be opened by

cracking one of the passwords

19

Lab Setup

• Decoy 1 (Always running): OS: WinXP with DCOM Security patch Back Officer Friendly (All traffic

Simulated) No user other than administrator (with

difficult password)

20

Lab Setup

• Decoy 2 OS: Red Hat 7.2 Http, ftp, telnet, ssh ports open No users other than root with difficult

password

21

New Tools for Behind the Scenes

• DCOM Security Patch: From Microsoft’s website http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

• Pwdump2: Used to dump windows passwords from the registry.

• AutoIt: Simple scripting language used for the automation of simple windows tasks like opening or closing windows-based applications To keep “netcat” running, the script checks for

closing of netcat and restarts it• Srvany.exe: Used to install the AutoIt script as a

service so that it starts up every time WinXP starts

22

Conclusions

• Challenges the students to try out different things, not just follow instructions

• Covers the breadth of the course

• Students get a flavor of the whole course by completing this challenging lab