CSIS 3756 Security Design
description
Transcript of CSIS 3756 Security Design
CSIS 3756Security Design
Mr. Mark Welton
Penetration Testing Definition, Concepts on Penetration Testing/Hacking What is the difference between Penetration Testing and
Vulnerability Assessment What is the difference between Penetration Testing and
Hacking Anatomy of a Hack How does Pentration Testing differ from the Anatomy of a
Hack
Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.
Using the failure of the system to violate the site security policy is called exploiting the vulnerability
Penetration Testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. – Wikipedia
Penetration Testing is a testing technique for discovering, understanding, and documenting the security holes that can be found in a system.
It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.
Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.
What is the difference between penetration testing and hacking/intrusion?
Definition
Vulnerability Assessment:◦ Typically is general in scope and includes a large assessment.◦ Predictable. ( I know when those darn Security guys scan us.)◦ Unreliable at times and high rate of false positives. (I’ve got a banner) ◦ Vulnerability assessment invites debate among System Admins.◦ Produces a report with mitigation guidelines and action items.
Penetration Testing:◦ Focused in scope and may include targeted attempts to exploit specific
vectors (Both IT and Physical)◦ Unpredictable by the recipient. (Don’t know the “how?” and “when?”)◦ Highly accurate and reliable. (I’ve got root!)◦ Penetration Testing = Proof of Concept against vulnerabilities. ◦ Produces a binary result: Either the team owned you, or they didn't.
Penetration Testing vs. Vulnerability Assessment
Pen Tester’s have prior approval from Senior Management Hackers have prior approval from themselves.
Pen Tester’s social engineering attacks are there to raise awareness Hackers social engineering attacks are there to trick the DMV into divulging
sensitive information about the whereabouts of their estranged ex-spouse.
Pen Tester’s war driving = geeks driving cars with really long antennas, license plate reading “r00t3d” while dying their hair green looking to discover the hidden, unapproved networks your users thought it would be OK to install for you.
Hackers wireless war driving doesn’t happen so often because 14 year olds typically don’t have their license yet.
Pen-testers have pink mohawks and wear trenchcoats in July. Hackers have pink mohawks and wear trenchcoats.... that they bought with your
bank account info.
Penetration Testing vs. Hacking
Hacking Methodology
(Steps) Scanning
Footprinting
Enumeration
Gaining Access
Escalating PrivilegePilferting
Covering Tracks
Creating Back Doors
Denial of Service
whois, nslookup
Nmap, fping
dumpACL, showmountlegion, rpcinfo, Nessus
Tcpdump, LophtcrackNAT, Metasploit
Johntheripper, getadmin
Rhosts, userdataConfig files, registry
zap, rootkits
Cron,at, startup foldernetcat, keystroke logger
remote desktop
Synk4, ping of deathtfn/stacheldraht
Information gathering. Sam Spade is window-based network query tool.
Find out target IP address/phone number range◦ Why check phone numbers?
Namespace acquisition. Network Topology (visualRoute). It is essential to a “surgical” attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing
others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).
Defense: deploy NIDS (snort), RotoRouter
Footprinting
Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of
packet sending and randomize the ports or IP addresses to be scanned in the sequence.
Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.
Scanning
Identify valid user accounts or poorly protected resource shares.
Most intrusive probing than scanning step.
Enumeration
Based on the information gathered so far, make an informed attempted to access the target.
Gaining Access
If only user-level access was obtained in the last step, seek to gain complete control of the system.
Escalating Privilege
Webster's Revised Unabridged Dictionary (1913) ◦ Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.]
[OF. pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft.
Gather info on identify mechanisms to allow access of trusted systems.
Pilfering
Once total ownership of the target is secured, hiding this fact from system administrators become paramount, before they react
Covering Tracks
Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.
Creating Back Doors
If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.
Denial of Services
How does Penetration testing differ?
Scanning
Footprinting
Enumeration
Gaining AccessEscalatin
g PrivilegePilferting
Hacking Methodology
Scanning
Footprinting
Enumeration
Gaining AccessEscalatin
g PrivilegePilferting
Covering TracksCreating
Back DoorsDenial of Service
Penetration TestingMethodology
The good guys usually get some small piece of proof and exit as quietly as they came
You have authority to do it
How does Penetration testing differ?
First, can you do what you want to do where you want to do it?◦ Is a war-dial legal against your own systems
when going through a central office? Make sure you are protected with a “Letter of
Authority”. ◦ Protect yourself with a “Get out of jail” type
letter Encrypt your data. You don’t want to be
liable if your data is compromised
Some Legal issues to consider
Watch, and throttle if necessary, your generated network traffic…Think stealth and covert.
Think through your actions before doing them. Run these tools at your own risk. You are
responsible for what you do.◦ Test them on a stand-alone network with a
network sniffer and review the source code◦ Obtain tools from the source◦ Verify checksums from multiple sources when
applicable
More Lawyer Speak
Be as aggressive as you can and work to be creative. Now is when you can use the “thinking out of the box” classes that we’ve taken.
Don’t get tunnel vision
Are you going to do physical penetrations?◦ Actually trying to break-in, vs◦ Wandering where you shouldn’t
What about “social engineering”?
What are your boundaries?
Application Service Providers (how can you use them?)
Externally hosted resources
Non-company equipment
All need to be addressed with each customer and agree upon.
More Boundaries to Consider
Identify activities, persons, processes, and events that could affect the penetration test:
◦ Network quiet time◦ Major upgrades◦ Layoffs◦ Strikes◦ Administrator’s day off◦ Late at night when the NID monitoring staff is
sleeping
Your advantage?
Coordinating Activities
Before proceeding, decide what perspective your team will take during the exercise.
What will the initial level of access and the amount of information be?◦ Outsider with no previous knowledge◦ Outsider with insider knowledge (with an inside
partner or former insider)◦ Low level insider (end-user)◦ High level insider (system or network
administrator)
What’s your perspective?
A signed letter from the “appropriate person”. This could be an officer, the CIO, owner, etc.
Includes:◦Who will perform the test◦When the test will be performed◦Why the test is being performed◦What types of activities will take place.◦ Includes targeted systems or locations◦ Customer contacts for verification◦ May include reasons to prematurely conclude the
test Request cooperation to minimize notification of your
activities Is legal review of the letter important? May address liability issues
The Authorization Letter
Why would you end your test before the allotted time-frame?
◦ Busted! The customer has detected your activities and sounded the alarm
◦ You’ve caused a negative impact such as a network or system outage
◦ You are not the person to successfully gain access
◦ You uncover such a significant vulnerability that you need to alert the system or network administrators
◦ You were slightly off on your IP addresses◦ You’ve achieved your goal
Premature Termination
Remember, in general, success from your perspective does not equal success from your customer’s perspective.◦ Somebody generally goes home unhappy.◦ Watch morale issues on your team.
The Pen-Test Paradox
Depending on your target, can you obtain a “clone” of the target?
It is often a lot easier to experiment, play, and sometimes destroy a controlled system◦ For example, based on your finger printing results, you’ll
have a pretty good idea of the current configuration. Configure another machine as a clone Borrow or buy a clone system
Turning a black-box pen test into a white-box pen test.
You must have a log-book of every activity that everybody does◦ Electronic or manual, just include the basics of who,
what, when, and how.
Linux “script <filename>” command is a great tool to save your logs for each terminal session. Control-D exits and I use a convenient (but long) filename such as exchpt.gm.2003mar04.
Plan your efforts and communicate continuously with team members.
Almost ready
Everything that goes wrong on the target host, network, or on the Internet from two weeks before you plug in to two weeks after you submit the report will be your fault.
Document everything!
Can you script operations to increase efficiency and reduce errors?
Murphy’s Law