Penetration TestingSystem Hardening

and Forensics

How to harden systems, break into computers and discover other intruders while staying out of jail.

Alan Rockefeller alanrockefeller@gmail.com

Overview

Penetration Testing – Why is it important?How is it done?Forensics – How you can find out what was done to your system.Good security practices – How you can to avoid failing a penetration test.

You will learn about

Penetration Testing – Why do it?

It is really important that none of the computers that you use have any remotely exploitable vulnerabilities.If the computers have any vulnerabilities, a knowledgeable attacker can do anything to them. The consequences are unacceptable, so all known vulnerabilities must be fixed right away.Pen testing is the only way to find out how secure the systems really are and find all the vulnerabilities.Pen testing is a lot of fun. Almost everything done during a pen test would be a felony if permission were not obtained.Permission is easy to obtain – Just ask the sysadmin if you can try to break into it. Every good admin knows that systems should have no vulnerabilities, so they will be happy to let you make sure.Get the permission in writing if possible. Sysadmins sometimes get very angry when you find a vulnerability. Take a minute to make sure the people in charge understand that the test is a good idea.

The US Government has “Tiger Teams” which break into government machines and give each government agency a letter grade which reflects how difficult it was to break in. In 2005, the Department of Homeland Security earned an F grade for the security of their computer networks. In 2006 this improved to D, and was at B+ by 2007.The entire US Government was evaluated, and received an average grade of D+ in 2005. By 2007 the grade had improved to a C.The Nuclear Regulatory Commission and several other government agencies received an F grade in 2007.The rest of this slide has been censored by the Department of Homeland Security.

Pen Testing – How do I do it?Run Nessus (version 3) against the target IP address(es)While it is running, run “nmap -p1-65535 !$”Telnet to each open TCP port and try to find out what is running on that port. Most ports will be obvious what is running on them because of the port number and the server's response. If you don't recognize immediately what is running on the port, look it up at http://incidents.isc.org.Look up everything you find at packet storm security and the security focus vulnerability database. Packet Storm Security is at http://packetstormsecurity.orgThe security focus vulnerability database is at http://securityfocus.com (click the vulnerabilities tab)Nmap -p1-65535 -sU !$ may give you some UDP services to research. It also may not. UDP port scanning is unreliable.

Once the Nessus report has completed, research every security hole it suggests. Nessus is an open source security scanner which tries thousands of ways to gather information and break into the target systems, giving you a report that tells you which ways could to work. Try them all.Combine all the information from nmap, nessus, packet sniffers, background information, Google searches, 802.11 wireless attacks and other hacker tools and try to break into the system in any way that you think might work.Don't forget to make sure the sysadmin locks his screen when he steps away. Make sure you can't pick the lock on the server room door.Call the help desk, tell them you are a new employee and need accounts on the systems.Make sure you can't hop the fence, crawl over the drop ceiling, under the floor, or fool the handprint scanner.Set up a network sniffer to record all plain text passwords sent from the system and determine which protocols are in use.

When attacking web servers, download all the content with “wget -r http://victim.com”. Read all the web pages to find out how CGI's and php scripts are used. Call these CGI and PHP scripts with unexpected variables. If you see a PHP page with &language=english set in a web link, try calling it with &language=../../../../../../etc/passwdIf the page's input validation is not good enough, it will send you the actual /etc/passwd file from the server.If the page's coding uses an open() call which is not sanitized, you can use the | character to execute commands on the web server as nobody. If you have read access to the web root, you can look through the code for these kinds of things. If you don't have read access to the web root, find a way to get read access to the web root, then look through the code. There always are lots of ways, you only need to find one of them.Nobody is probably the most powerful user on the web server because nobody usually owns the web content.Check for SQL injection vulnerabilities.Cenzic Hailstorm is a commercial tool that finds holes in websites.

Make sure you can't get into the place using an ID printed from a digital photo of the company's badge taken at a nearest restaurant during lunch hour.Make sure you can't dress as a police officer or fire inspector and get access to the server rooms. Get the uniforms and official looking gear at a fire/rescue/911 store. Get permission from the police before you try it.The point is to train the people to verify the identity of everyone, and embrace a security culture where no holes are allowed to exist.Even home users must fix all security holes – Otherwise hackers will break in and use the machines to attack, for example, the CIA. The CIA would trace it back only to that home user which they raid, only to find that it was hackers in Romania that had taken it over. So they raid a business in Romania and find that the source of the attack is a home in Taiwan. So they raid the Taiwanese home and find that the attack came from the Mexican government. They raid them and find that the attack came from a home in Iraq, where they lose the trail. The hackers are often actually using random wireless hotspots which they can use from miles away if they are using a good antenna and on top of a highrise.Make sure you can't drop USB memory sticks in the parking lot that have autorun install a backdoor as soon as the device is plugged in.

In the state of California, it is legal to make your own lock pick sets. It is illegal to give them away or sell them without keeping a copy of the customer's ID on file for a year.Use street sweeper bristles and hack saw blades. See http://lockpicking101.com for more information.Before picking a lock, always get the permission of the lock's owner. Always carry a lock pick set in case you get locked out.If the lock is a card key lock, there is a centralized computer that keeps a database of which cards are allowed, and keeps a log of who goes into each room. Chances are that the patches on this computer are way out of date and you can break in and give your card access to all the most secret rooms.If you can't break into this computer, you can obtain one of the badge scanners from an outside door, and power it up with a battery. Hold it within a couple feet of the wallet of a high ranking employee to get his code, then clone a card which has the same level access that employee did.

Firewalls are a very effective way to protect a system against remote attackers.If you are a remote attacker trying to bypass a firewall, instead of trying to connect to the system, get the system to connect to you. For example, email the user an interesting web link that connects to your evil web server. Once the user clicks on it, any one of hundreds of known and unknown web browser vulnerabilities can be exploited by your malicious web server. This technique can be used to break into almost all of the worlds most secure computers.If none of these methods get you in, adjust them a little until they do. No computer is completely secure. If you don't feel like doing that, trick them into letting you in. Make them think you are authorized by calling on the phone and telling them that you are on travel and need access right away. Make your story believable by sounding kind of bored and impatient, and getting a calling card that will allow you to send any number as your caller ID. Call from the phone number of the companies CEO or tech support center using a card available from http://www.spoofcard.com.Mail a CD to the target, have autorun install a keystroke logger.

You can also find all the information you need to get in to the computers from the dumpsters. Jump inside, close the lid and look for passwords, dialup numbers, door codes, phone numbers, etc.Most companies have insecure wireless networks which can be used to break into the rest of their networks. Use tools like airsnort to crack WEP encryption. Lots of wireless hacking tools are available at http://packetstormsecurity.org/wireless/Burglar alarms can be bypassed by shorting the sensors in the proper way so they don't go off, cutting the phone lines, putting magnets near magnetic door sensors, or tricking automatic car gates into thinking a car is there. To trick an automatic gate into opening because it thinks a car is leaving, throw a large piece of iron like a trash can lid over the sensor pad near the automobile exit gate.

Even critical infrastructure such as ATM machines and <censored> and <censored> and <Department of censored> can be broken into using simple network based attacks. As evidence of this there are newspaper articles about ATM machines that were broken into by windows worms that exploit well known vulnerabilities. ATM machines don't do software updates often.Most paranoid people such as banks, the dmv, courts of law, and every government organization and large company use intrusion detection systems. These are machines which capture all network traffic and examine it for suspicious activities. These packet capture devices read in all network packets and parse them for abnormal activity. These programs have thousands of buffers that fill with information during every connection, opening themselves up to countless remote buffer overflows. If you overflow these buffers by sending intentionally malformed data to any host that these programs are “protecting”, you will be able to take complete control of the security networks which have access to everything.

By default, every system has many security vulnerabilities. You need to configure them so they don't have any.Once you get in, write a short summary of how you did it, including the vulnerability details and links to packet storm and security focus. Send it to the sysadmin. If there is one. If not, find a way to make sure the security problems get fixed.Always get permission first.

According to TIME magazine, a US DOE employee named Shawn Carpenter noticed a hacker from Taiwan breaking into several US government agencies and copying the entire contents of the hard drive.The employee got permission from the FBI to break into the Taiwanese computer to see who was behind it.Once he got in he found out the attacks were coming from China. The US Government code named the attacks Titan Rain.He broke into the Chinese router and discovered a data center that was attacking US government computers 24/7 using sophisticated network attacks. They were working in shifts and copying massive amounts of sensitive data from dozens of US government agencies.He gave the router passwords to the CIA, but they never used them.The FBI tried unsuccessfully to charge him criminally as a hacker for breaking into the Chinese computers. The full article is at http://www.time.com/time/archive/preview/0,10987,1098961,00.htmlThese types of attacks are increasing every year.

Forensics

When a system is used, traces are left behind.If you suspect that one of your machines has been used by an unauthorized person, there are a million places that you can look for clues regarding who it was and what was done.The most important thing is to find out which days the unauthorized use occurred. Search the file system for all files that were modified, created, or read on these days.For Windows, get fport.exe and run it to list all the running processes and which network connections they are using. For unix, get lsof and run “lsof -i -n” or just “lsof -n”.If the user had root access, anything could have been done. They usually set up your system to lie to you. If you suspect such a thing, save all the system memory to a file (/dev/kmem), then reboot with a known clean kernel (Knoppix), mount the filesystem, and do forensics from there.Search for files with the names “...”, “. “, “.. “, etc.

Search for all files that were changed recently, especially in /bin, /usr/bin, /sbin, /usr/local/bin, /etc, etc.The Coronors Toolkit can help examine a system to find deleted files and many other kinds of evidence.Sleuthkit is a similar free toolkit. It is available for Unix and Windows. http://sleuthkit.orgEncase is some commercial forensics software for Windows which does similar things. Anyone who is serious about finding out who broke into their system will run Sleuthkit / lsof / coroners toolkit. Make sure you know exactly what these tools can do.Windows Forensic Toolkit (WFT) is a CD that contains 107 different forensic checks, such as rootkit revealer, saving filesystem and process information, listing DLL's etc. It saves the output to a USB key and is available at http://foolmoon.net/security/wft. Makes minor system changes.Knoppix is a standalone unix based OS which allows you to boot into a trusted environment, then mount suspect drives read-only, preserving all forensic evidence.

The most important thing to do is to install the security patches for all software as soon as they come out. All users should configure automatic updates to run as often as possible. Software which is not covered by automatic updates, such as web servers and extra network daemons need to be upgraded by the sysadmin as soon as new versions come out.Windows patches come out on the 15th of every month. All Windows machines should be updated at this time. Machines which forget to update should be denied access to the network until they update.Nessus is a great tool for locating Unix and Windows machines which are behind on patches.

System Hardening

Nessus and other network and hacking tools can get lots of interesting data from the various open TCP and UDP ports found on systems.Each open port processes the data sent to it, and on many of them, there are thousands of code paths that are possible even before authentication.For example, sendmail processes hundreds of things from random hosts.With thousands of functions, several security bugs will be present. Every open TCP and UDP port probably has security bugs.Your job is to convince sysadmins to restrict access to all these ports.This can be done with firewalls – Allow only the database client IP's to connect to the database servers, backup servers to the backup clients, etc.Browsers can be hardened with Flashblock and Noscript.

Firewalls can be kernel based, on each host, or network based, restricting access to the ports of many hosts.Every machine should have integrity checking set up. This is a system that records the checksum of each important file, and notifies the sysadmin if there are unauthorized changes.Advanced attackers can bypass these kinds of systems. They should still be set up, because advanced attackers are usually too lazy to find and disarm these types of burgler alarms. The alarms can't be bypassed if they can't be found by attackers. Unless they patch the kernel. Always make sure they don't patch your kernel. To verify that your system has not been root kitted, run chkrootkit from http://chkrootkit.orgTo verify that your kernel has not been patched, read http://www.s0ftpj.org/docs/lkm.htmTo build a secure network, start with securing your workstations. They can be desktops or laptops - make sure they are secure as possible, with absolutely no open ports (lsof -i -n) and console only access.

Configure all your secure servers to only allow logins from your secure workstations. It doesn't matter if your workstation is Mac, Windows or Linux – You must always keep it absolutely secure.If your workstations get compromised, the enemy's keystroke loggers will capture the root passwords to all the machines in your network.Never ssh or otherwise connect into your workstation. Always connect from your workstation outbound only. This way you are transferring trust from your workstation to remote machines, and never the other way around.Never run peer to peer file transferring software, view untrusted websites, funny videos, or run anything dangerous like Realplayer, Macromedia flash, or any email client on your workstation. Use a separate computer which does not have access to run commands or copy files to your workstation or any other important machines for things like that.

Resources

1) isc.sans.org - This site allows you to look up any port number, and get a graph of how many people are attacking on that port. It is very useful to determine if a particular vulnerability is actively being exploited. It has lots of trend analysis features such as "top rising attacked ports" which can help determine which attacks are becoming popular. The site also has a daily security diary which summarizes recent hacker activity reports from the field.

2) securityfocus.com - The most useful feature of this site is the vulnerability database. You can look up any product to find out which vulnerabilities apply. Click on the Vulns tab, then select the vendor, product name, and version. It will show only vulnerabilities which affect the version which you are looking up. The site also hosts many good security mailing lists, such as Bugtraq.

3) packetstormsecurity.org - This site has current security tools, exploits, and advisories.

4) metasploit.com - The metasploit vulnerability framework makes exploitation of many vulnerabilities practical via an easy to use perl framework.

5) sectools.org - The top 100 free security tools, according to thousands of nmap users.

Send your questions to Alan.

alanrockefeller@gmail.com