Turn-Key Penetration Testing Labs

Transcription

1 Turn-Key Penetration Testing Labs Thomas Wilhelm CISSP SCSECA SCNA SCSA IAM

2 Why Do I Need a PenTest Lab?...or Why Hacking the Internet is Bad Legal Ramifications Mr. Heckenkamp: 8 months, $268,291 restitution Two counts of gaining unauthorized access into a computer and recklessly causing damage CompSci. Grad student at University of Wisconsin Mr. Lukawinsky: 12 months, $198,458 restitution Accessed computer network without authorization and downloaded several encrypted password files Did not compromise any of the confidential or proprietary information Turn-Key Penetration Testing Labs 2

3 Why Do I Need a PenTest Lab?...or Why Hacking the Internet is Bad Bandwidth Problems Brute Force Attacks Aggressive Scanning Denial of Service Attacks Cost Associated with Bandwidth Usage Wife Can't Play Her MMORPG Turn-Key Penetration Testing Labs 3

4 Why Do I Need a PenTest Lab?...or Why Hacking the Internet is Bad Time Constraints Finding the Right Equipment to Hack Find a Legal System (friend-of-a-friend)? Servers are Often Down Denial of Service Idiots (intentional or not) Code of Ethics I Want to Keep my Job Turn-Key Penetration Testing Labs 4

5 Disadvantages of PenTest Labs Expensive & Expansive Equipment & Electrical Costs Limited Rack Space Application / Operating System / Patch Disks Diversity is up to You Finding Older and Unique Equipment / Software is a Serious Pain Turn-Key Penetration Testing Labs 5

6 Disadvantages of PenTest Labs How do You Make a Real World Challenge? What's a Real Scenario if I've Never Pentested before? If YOU Create a Scenario, YOU Instantly Know How to Solve it Turn-Key Penetration Testing Labs 6

7 ...So, I Began To Think How to Get Rid of the Disadvantages of a Lab Needs to be Easy for Neophytes to Use Challenging Enough for All Skill Levels Simulate Real-World Situations Not Just Another Web-Hacking Scenario Easy to Create Portable (LAN Parties) Nerdy Enough to Be Kind of Cool Turn-Key Penetration Testing Labs 7

8 Advantages of Live CDs Cost Advantage Less Equipment Virtualization (future releases) Portable and Compact (iso file) Quick & Easy to Use They are Real Servers with Real Services Turn-Key Penetration Testing Labs 8

9 Disadvantages of Live CDs Depends on Your Goals LiveCD vs. Fully-Installed System Learning Goals are Different PenTesting Learn SysAdmin Modules vs. Packages -> LiveCDs -> Full Install Fewer Modules, but Easier to Install More Packages, but More Complicated You can Still use Packages in LiveCDs Proprietary Operating Systems Turn-Key Penetration Testing Labs 9

10 A Live CD PenTesting Lab Is... I Needed Some Standards Slax (slax.org) BackTrack (remote-exploit.org) Hardware Router(s) Two Machines Target Attack Turn-Key Penetration Testing Labs 10

11 A Live CD PenTesting Lab Is... I Needed Some Standards Target machine = Static IP Address IP Address Indicates Difficulty Level xxx = level xxx = level 2, etc. Attack machine = Dynamic IP Address Router Needs to Provide DHCP OSSTMM Turn-Key Penetration Testing Labs 11

12 How a Slax Live CD Works Modules Runs from USB or CD 6 Pre-Built.iso's Server Distro Includes: DNS, DHCP, HTTP, FTP, MySQL, SMTP, POP3, IMAP and SSH. Smallest Distro: 50MB GNU General Public License Turn-Key Penetration Testing Labs 12

13 How a Slax Live CD Works Don't Like Slax? Check out linux-live.org Turn-Key Penetration Testing Labs 13

14 How a Slax Live CD Works File Structure / base boot devel modules optional rootcopy tools Base OS (devel) Gets Installed First modules are Installed Second (found in base and modules) rootcopy is Copied Next (Empty by Default) Turn-Key Penetration Testing Labs 14

15 How a Slax Live CD Works /rootcopy etc rc.d home opt var rc.local ssh passwd shadow sudoers rc.d Executed on Startup Come from modules Create Your Own rc.local Shell Script that Launches at Startup Primary Script for PenTest Disks Turn-Key Penetration Testing Labs 15

16 How a Slax Live CD Works Snippet of rc.local #Prevent brute force attacks iptables -A INPUT -p tcp -i eth0 -m state - state NEW --dport 22 -m recent --update - seconds 15 -j DROP iptables -A INPUT -p tcp -i eth0 -m state - state NEW --dport 22 -m recent --set -j ACCEPT # #remove the clues # cd / umount /boot rm -r /boot # Turn-Key Penetration Testing Labs 16

17 The Idea Behind Levels Some Hacking Techniques are Easier than Others Level 1 - Brute Force, Hidden Directories, Password Cracking... Level 2 - IDS Evasion, Back Doors, Elevating Privileges, Packet Sniffing... Level 3 - Weak Encryption, Shell Code, Reversing... Level 4 -??? Turn-Key Penetration Testing Labs 17

18 Real World Scenarios...or How to Intentionally Screw up Your Box Bad/Weak Passwords Unnecessary Services (ftp, telnet, rlogin (?!?!)) Unpatched Services Too Much Information Given (contact info, etc.) Poor System Configuration Poor / No Encryption Methodology Elevated User Privileges No IPsec Filtering Incorrect Firewall Rules (plug in and forget?) Clear-Text Passwords Username/Password Embedded in Software No Alarm Monitoring Turn-Key Penetration Testing Labs 18

19 Scenarios at De-ICE.net Warning: Spoiler Scenario Disk CEO pressured by the Board of Directors to have a penetration test done CEO, feels this is a huge waste of money Already has a company scan their network for vulnerabilities (using nessus) Contracts you to look at only one server Turn-Key Penetration Testing Labs 19

20 Scenarios at De-ICE.net Warning: Spoiler For the PenTester Disk There is a hints page that provides tools required as well as clues to push you along if you get stuck Objective is to learn the tools and expand your thought process Turn-Key Penetration Testing Labs 20

21 Scenarios at De-ICE.net Warning: Spoiler Tools Required nmap Firefox ssh hydra john (the ripper) openssl Disk Turn-Key Penetration Testing Labs 21

22 Scenarios at De-ICE.net Warning: Spoiler nmap Scan - Target Does Not Respond to ping - ftp is Intentionally Broken - There are no nessus Vulnerabilities (not Included in BackTrack) Disk Turn-Key Penetration Testing Labs 22

23 Scenarios at De-ICE.net Warning: Spoiler HTTP Info Disk User names: adams, banter, coffee, adamsa, banterb, coffeec, adama, bobb, chadc, aadams, bbanter, ccoffee, aadam, bbob, cchad, etc. (caps, numbers) Turn-Key Penetration Testing Labs 23

24 Scenarios at De-ICE.net Warning: Spoiler hydra / ssh Info Disk Login: bbanter / bbanter (joe password) - You could try all possible combinations using dictionary attack, but this is a quick check and narrows things down Turn-Key Penetration Testing Labs 24

25 Scenarios at De-ICE.net Warning: Spoiler hydra / ssh Info Disk Login: aadams / nostradamus Turn-Key Penetration Testing Labs 25

26 Scenarios at De-ICE.net Warning: Spoiler What's Next? john (the ripper) openssl Disk I'll leave the rest for you to work through hint: Find the CEO's bank account info to win Turn-Key Penetration Testing Labs 26

27 The Future for De-ICE.net What is Next for LiveCD PenTest Disks? Wireless Pentesting Potential Scenarios Might run Parallel to Current Level System WEP, WPA, WPA2 cracking Mimic MAC Address DoS Client / Assume Client Identity Man-in-the-Middle Attack Turn-Key Penetration Testing Labs 27

28 The Future for De-ICE.net What is Next for LiveCD PenTest Disks? IDS/IPS Potential Scenarios Network-Based Scenarios (currently Host-Based) Log Servers Attack Against Signature Files Slow Attacks (under thresholds) Turn-Key Penetration Testing Labs 28

29 The Future for De-ICE.net What is Next for LiveCD PenTest Disks? Beyond the PenTest Labs Disks Forensics Lab Learn how to use Forensics tools Real-World Scenarios Classroom How-To Demonstrations with Hands-On Labs Turn-Key Penetration Testing Labs 29

30 Links and Contact Info Thomas Wilhelm LiveCD PenTest Disks Network Configuration Information and Download Links in Forum (signup required) Turn-Key Penetration Testing Labs 30

31 Questions? Thank you for attending!!!...those of you still awake, please nudge those sleeping next to you. We're done here. It's been an honor to present to you today, and I'm always available to answer your questions. Turn-Key Penetration Testing Labs 31