by Penetration Testing

Transcription

1 BackTrack 4: Assuring Security by Penetration Testing Master the art of penetration testing with BackTrack Shakeel Ali Tedi Heriyanto rpafktl Pen I I llv. I\ 1 J community expe PUBLISHING- - BIRMINGHAM MUMBAI source experience distilled!?

2 Preface 1 PART 1: Lab Preparation and Testing Procedures Chapter 1: Beginning with BackTrack 9 History 9 BackTrack purpose 9 Getting BackTrack 11 Using BackTrack 12 Live DVD 12 Installing to hard disk 13 Installation in real machine 13 Installation in VirtualBox 14 Portable BackTrack 19 Configuring network connection 21 Ethernet setup 21 Wireless setup 22 Starting the network service 24 Updating BackTrack 24 Updating software applications 25 Updating the kernel 26 Installing additional weapons 29 Nessus vulnerability WebSecurify 31 Customizing BackTrack 32 Summary 34 scanner 30 Chapter 2: Penetration Testing Methodology 37 Types of penetration testing Black-box testing White-box testing Vulnerability assessment versus penetration testing

3 Security testing methodologies 41 Open Source Security Testing Methodology Manual (OSSTMM) 42 Key features and benefits 43 Information Systems Security Assessment Framework (ISSAF) 44 Key features and benefits 45 Open Web Application Security Project (OWASP) Top Ten 46 Key features and benefits 48 Web Application Security Consortium Threat Classification (WASC-TC) 49 Key features and benefits 50 BackTrack testing methodology 51 Target scoping 52 Information gathering 52 Target discovery 53 Enumerating target 53 Vulnerability mapping 53 Social engineering 54 Target exploitation 54 Privilege escalation 54 Maintaining access 55 Documentation and reporting 55 The ethics 55 Summary 56 PART II: Chapter 3: Target Scoping Penetration Testers Armory Gathering client requirements 62 Customer requirements form 63 Deliverables assessment form 64 Preparing the test plan 64 Test plan checklist 66 Profiling test boundaries 67 Defining business objectives 68 Project management and scheduling 69 Summary 70 Chapter 4: Information Gathering 73 Public resources 74 Document gathering 75 Metagoofil 75 DNS information 77 dnswalk 78 dnsenum 79 dnsmap 81 [M] 6j1

4 dnsmap-bulk 83 dnsrecon 84 fierce 85 Route information 86 Otrace 86 dmitry 88 itrace 90 tcpraceroute 91 tctrace Utilizing search engines 93 goorecon 93 theharvester 95 All-in-one intelligence gathering 96 Maltego 96 Documenting the information 101 Dradis 102 Summary 107 Chapter 5: Target Discovery 109 Introduction 109 Identifying the target machine 110 ping 110 arping 111 arping2 112 fping 113 genlist 115 hping2 116 hping3 117 lanmap 118 nbtscan 119 nping 121 onesixtyone 122 OS fingerprinting 122 pof 123 xprobe2 124 Summary 126 Chapter 6: Enumerating Target 127 Port scanning 127 AutoScan 131 Netifera 134 Nmap 136 Nmap target specification 138 [iii] 92

5 Nmap TCP scan options 139 Nmap UDP scan options 140 Nmap port specification 141 Nmap output options 142 Nmap timing options 143 Nmap scripting engine 144 Unicornscan 147 Zenmap 148 Service enumeration 152 Amap 152 Httprint 153 Httsquash 155 VPN enumeration 156 ike-scan 157 Summary 159 Chapter 7: Vulnerability Mapping 161 Types of vulnerabilities 162 Local vulnerability 162 Remote vulnerability 163 Vulnerability taxonomy 164 Open Vulnerability Assessment System (OpenVAS) 165 OpenVAS integrated security tools 166 Cisco analysis 169 Cisco Auditing Tool 169 Cisco Global Exploiter 170 Cisco Passwd Scanner 172 Fuzzy analysis 173 BED 173 Bunny 175 JBroFuzz 177 SMB analysis 180 Impacket Samrdump 180 Smb4k 181 SNMP analysis 182 ADMSnmp 183 Snmp Enum 184 SNMP Walk 186 Web application analysis 188 Database assessment tools 188 DBPwAudit 189 Pblind 190 SQLbrute 191

6 SQLiX 194 SQLMap 196 SQLNinja 199 Application assessment tools 202 Burp Suite 202 Grendel Scan 204 LBD 206 Nikto2 207 Paros Proxy 209 Ratproxy 210 W3AF 212 WAFWOOF 214 WebScarab 215 Summary 217 Chapter 8: Social Engineering 219 Modeling human psychology 220 Attack process 220 Attack methods 221 Impersonation 221 Reciprocation 222 Influential authority 222 Scarcity 223 Social relationship 223 Social Engineering Toolkit (SET) 224 Targeted phishing attack 225 Gathering user credentials 230 Common User Passwords Profiler (CUPP) 234 Summary 235 Chapter 9: Target Exploitation 237 Vulnerability research 238 Vulnerability and exploit repositories 240 Advanced exploitation toolkit 241 MSFConsole 242 MSFCLI 244 Ninja 101 drills 246 Scenario #1 246 Scenario #2 248 Scenario #3 252 Scenario #4 261 Scenario #5 263 Writing exploit module 268 Summary 273

7 Chapter 10: Privilege Escalation 275 Attacking the password 276 Offline attack tools 277 Rainbowcrack 277 Samdump2 280 John 282 Ophcrack 284 Crunch 285 Wyd Online attack tools 287 BruteSSH 287 Hydra 288 Network sniffers 289 Dsniff 290 Hamster 291 Tcpdump 294 Tcpick 295 Wireshark 296 Network spoofing tools 298 Arpspoof 298 Ettercap 300 Summary 304 Chapter 11: Maintaining Access 305 Protocol tunneling 305 DNS2tcp 306 Ptunnel 307 Stunnel4 308 Proxy 311 3proxy 311 Proxychains 312 End-to-end connection 313 CryptCat 313 Sbd 314 Socat 315 Summary 319 Chapter 12: Documentation and Reporting 321 Documentation and results verification 322 Types of reports 323 Executive report 323 Management report 324 Technical report 325 Network penetration testing report (sample contents) 326 [vi] 286

8 Table of Contents 326 Presentation 327 Post testing procedures 328 Summary 329 PART 111: Extra Ammunition Appendix A: Supplementary Tools 333 Vulnerability scanner 333 NeXpose community edition 334 NeXpose installation 334 Starting NeXpose community 335 Login to NeXpose community 336 Using NeXpose community 336 Web application fingerprinter 338 WhatWeb 338 BlindElephant 339 Network Ballista 341 Netcat 341 Open connection 342 Service banner grabbing 342 Simple server 343 File transfer 343 Portscanning 344 Backdoor Shell 344 Reverse shell 345 Summary 346 Appendix B: Key Resources 347 Vulnerability Disclosure and Tracking 347 Paid Incentive Programs 349 Reverse Engineering Resources 349 Network ports 350 Index 357 [vii]