Ethical Hacking and Penetration Testing Review of the obligatory litterature
Chptr 2 reconnaissance
Definition Active vs. passive Stage 1 Stage 2 Active tools Passive tools DNS E-mail server Social Engineering Practicing reconnaissance
Definition Recconoissance Information Gathering Must be equal parts; Hacker, Social Engineer and Private Investigator
Active vs. passive Active rec. interacts with the target Passive does not Use search engine, cached sites, phone books, written material, public info on the web, etc. Be careful of the tools you use Know what they do and how they do it
Stage 1 Search public information Goal 1: Gather intel Goal 2: Sort and analyze the intel ID services in the network Generate list of attackable IPs ID personell/employees Phone, Email, Soc.Med., tax records ID physical layout Rooms, inventory, surrounding area
Stage 1 Locate targets website( active ) Review closely HTTrack the site for offline viewing Higly active interaction with target Look for; location, phone, email, srvices, hours of operation, business relation, employees, Soc.Med, news, RSS-feed, job listing Look for job-listing on public sites, as well
Stage 1 Passive rec. of target in search engine Check out cached websites Find old, discarded and erased information Reduce footprints Passive as long as you don t click on the links Follow strategic key personell on Soc.Med.
Stage 2 Review the recovered intel Create Separate lists of all IP-addresses, e-mails, host names, and URLs Separate list of employees and information Separate list of services running on the network
Active Tools HTTrack: mirror site nslookup: queries DNS-servers for stored IP/ host mappings dig: Easy to perform a DNS zone transfer MetaGooFil: extract metadata from files, could be used for offline scanning too
Passive tools Search Engines: google, yahoo theharvester: use search engines and to gather email, subdomains and user names Whois: gqet IP-address, hostnames og DNS, contact info. Check out the info in the referred URL. netcraft: Searches it s stored information for info. on a URL. host: translate host-name to IP-address and vice versa
DNS Like finding a bluebprint to the system Enumerate all IP-addresses DNS servers function for syncing is a zone transfer. DNS sends all host/ip mappings to another server.
E-mail server Contains significant pieces of information Send a mail which will be rejected and examine the corresponding Internet Header gives: IP-address, software vers. and brand of e-mail server The returned message gives: Antivirus used to scan the mail
Social Engineering Make people reveal information willingly Physical contact, phishing, social interaction, and interaction via telephone.
Practicing recconnaissance Find a newspaper and choose an unknown corporate initiative Start performin PASSIVE recconnaissance Use search engines Try SEAT(Search Engine Assessment Tool) Try Google Hacking Database Try Paterva s Maltego CE
Chptr 3 Scanning
Overview Stage 1 Stage 2 Stage 3 Ping And Ping Sweeps Port Scanning Vulnerability Scanning Practising Port Scanning
Stages of scanning Stage 1: Determine if the system is alive Poor reliability Stage 2: Port/service scan the system Find open/vulnerable services and ports on the system Stage 3: Scan the system for vulnerabilities ID vulnerable services and hosts
Stage 1 Determine if the system is turned on Determine if the system is capable of communication with our host Continue with stage 2 and 3 no matter what
Stage 2 Port scanning Ports are a way for services to communicate with HW Scan the host list for ports ID running services Pay attention to open ports
Stage 3 Vulnerability scanning Locate and ID known vulnerabilities in the services running on a target machine Begin by scanning the perimiter devices The intel gathered is from perimiter hosts Not allways possible to gain internal access Conquer a perimiter device, then jump to internal host
Ping and Ping Sweep Ping ICMP Echo packet Tells if the host is up and running, may not reply anyway Ping sweep Automatic sending ICMP echo packets to a range of hosts to see which is up Automatic tools, or simple scripting
Port Scanning ID which ports and services is available Port range: 0-65.535, either TCP or UDP Determine purpose of the host Creates a packet and send it to the hosts port Different type of port scans can produce different results nmap or its GUI, zenmap -st TCP scan: Completes the TCP hanshake -ss SYN scan: Faster only completes 2/3 of the TCP handshake -su UDP scan: Send a UDP packet to the host, slow but needed Xmas scan: Scans for RFC-documented vulnereabilities and loopholes Null scan: Packets which violate standard TCP communication
Vulnerability scanning Scan hosts for vulnerabilities on dedicated ports Nessus Read the intro in the book
Practicing port scanning Set up a virtual machine network One BT5 and one Damn Vulnerable Linux, WinXP SP2/SP1 without upgrades Work through the scanning techniques in the book Work through the vulnerability scanning Try other tools for port scanning and vulnerability scanning
Chptr 4 Exploitation
Definition Medusa Metasploit John The Ripper Password resetting Network sniffing macof; MAC flooding Fast-track autopawn Practice
Definition Process of gaining control over a system You need to expand the knowledge of systems and exploits when you re becoming more experienced Eventually you will learn to develop exploits
Medusa Pay attention to remote access SSH, Telnet, FTP, PC Anywhere, VNC Brute force uname/passwd gathered from recon Medusa and Hydra; learn Hydra too Medusa Parallell brute force Cracks login of remote services: AFP, FTP, HTTP, IMAP, MySQL, POP3, SMTP-AUTH, SNMP, SSHv2, Telnet, VNC, Web Forum, and more Dictionary Attacks
Metasploit Based on an exploit framework Structured to develop and launch exploits Exploits: Functions to exploit vulns. Payloads: Tasks to do upon a successfull exploit General use Decide target -> Select exploit -> Choose payload -> Exploit Newbies get lost in Metasploits abilities
Metasploit Select target based on Nessus output Search metasploit for specific vulnerabilities Select corresponding exploit with high rank/dependability Set parameters for exploits View payloads Select payload Set parameters Run exploitation If all is right you will have control
Metasploit payload Bind: Sends an exploit, and makes connection to the target Reverse: Sends an exploit, and forces the target to connect back to the attacker Meterpreter: Provides a powerful command line shell that can interact with their target. Runs with privileges of the exploited process A complete shell with powerful features
John The Ripper Password/Hash cracking Speed depends on algorithm Escalating privileges with higher accounts Cracking Select hashing alg. Select plaintext word Encrypt the plaintext using hashing alg. Brute force or dictionary Compare generated hash with retrieved hash If equal you have found the password
John The Ripper SAM password file, Windows Cracking Shut down the host Boot into BT5 and mount local HD Go to the C:/windows/sytem32/config folder Use Samdump2 to extract the hashes Samdump2 uses the file system to decrypt and return the password hashes Upload cracked file to an available location Utilize John to crack the passwords
John The Ripper LM hashes(lan Manager) Microsoft Windows Utilized by SamDump2 Not casesensitive, it converts all chars to upper case before hashing LM passwords is 14 chars if under 14 chars it is appended with NULL values Split in half and stored as 2 passwords of 7 chars
John The Ripper shadow password file Linux password hashes /etc/passwd and /etc/shadow./unshadow function extracts the hashes Crack hashes with John Use multiple types of hashing alg.
Password Resetting Used instead of password cracking Sets off alarms People will know you where there when their password doesn t work Blanks out the passwords in the password file No restoration of original passwords Requires physical access to the host
Password resetting Get physical access to host Re-boot into BT5 Mount local HDs Run the chntpw program in /pentest/passwords/ chntpw Follow the menu driven interface for changing a users password When password is cleared, reboot into original OS Log on to the host with username and a clear password
Network sniffing Capturing and viewing packets transmitted on the network Promiscuous mode The NIC must be set to promiscuous Accepts all packets that arrives to the NIC Non-Promiscuous mode Default mode for NIC Passes only on traffic sent to the NIC WLAN-sniffinge Monitor mode Captures all packets captured by the NIC Managed mode Captures only packets sent addressed to the NIC
Macof, MAC flooding Switches Limited MAC-address storage Fails open by default when flooded open : Sends the packet to everyone closed : Causes DOS-attack macof Generates packets with different MAC-addresses Floods the network Easily detectable Wireshark; network analyzer
Fas-track autopown Nuke the hosts based on IP-address(es), built on Metasploit Automates the process of of finding vulnerabilities and match exploits Should lead to multiple shells Easiest way is to start the Web-GUI
Practice Set up a virtual pentest lab BT5, metasploitable, WinXP SP1/SP2, Linux Ubuntu 9.04/8.04, Damn Vulnerable Linux Test the different topics discussed Start with a known vulnerable host to not be discouraged when trying exploitation Don t use cheat sheets
Chptr 5 Web-Based Exploitation
Nikto WebSecurify Spidering: WebScarab InterceptioN: WebScarab Code Injection XSS Practice
Nikto Web server vulnerability scanner Out-of-date/missing patches and dangerous files Command Line tool Use Nikto when open ports on 80 or 443 is found
WebSecurify Automates web vulnerability scanning GUI-app Presents a report of the findings
Spidering: WebScarab WebScarab A modular framework and expandable with plug-ins A program which catalogs the target website and finds links, files, etc. GUI-app
Interception: WebScarab Proxy server feature Intercept data via the proxy Set up WebScarab with proxy feature Switch to Intercept tab All requests will be stopped before you allow them to pass Change its integrity or view its content between targets
Code Injection Many types SQL-injection Inject variables which alter the original SQLquery Add, delete or view information in the DB Comment signs: #, -- True states: OR 1 = 1
XSS Injection scripts into the web-app Stored on the website everyone is attacked JavaScript Use input fields input scripts Forms, login, etc Store them in the DB
Practice Test all softwares in described Download OWASPs WebGoat project Vulnerable web server Install on a virtual machine Command line server interface Misconfigured and exploitable Access the WebGoat from browser on http://<ip>: 8080/webgoat/attack Includes 30 lessons
Chptr 6 Maintaining Access with Backdoors and Rootkits
Definition NetCat CryptCat Netbus Rootkits Hacker Defender (Rootkit) Detect/Defend against Rootkits Practice
Definition Backdoor: Piece of software that resides on the target host which allows the attacker to reconnect at will
NetCat Allows communication between hosts listen, send, transmit files between hosts Can be set to listen for connection from the attacker and auto-run on boot Does not respond when transactions is finished Use NetCat to interact with unknown open ports NetCat can be binded with existing processes and communicate over network
CryptCat NetCat transmits info in clear text CryptCat transmits encrypted info with twofish Same commands as NetCat
Netbus The server is installed on the target The client connects to the server and controls it Sets up program for autorun
Rootkits Stealthy and wast amount of possibillities Uploaded to system after exploitation Used for hiding files and programs and main backdoor accesss
hacker Defender (rootkit) Three main files Hxdef100.exe: Runs the program on the target Hxdef100.ini: config file for the program by setting parameters in this file bdcli100.exe: Runs the program on the attackers computer Read the guide on page 137-141
Detect/Defend against Rootkits Steps Monitor intel put online Config FWall and other ACL Patch the system Install and use antivirus SW Make use of IDS Installing RK requires admin-privs and it will open ports Disable admin-privs for users Monitor network traffic against a correct baseline Run port scans Rootkit scanner
Practice Learn setting up NetCat connections between computers Binding to processes, and so on Sending files On multiple OS-es Making it start on boot Try out other rootkits as well
Chptr 7 Wrapping up pentesting
Report writing Exec Summary Detailed Report Raw output Next step Wrap up
Report writing One of the most critical tasks in Pentesting The face of your work and reputation Showcase results and your talent Good report takes practice Report is broken into several pieces Makes up a complete report Every piece should work as a stand-alone report Includes at minimum; Exec sum, detailed report and a raw output of the gathered intel
Report writing Distribute the report securely as a digital document May require instructing the employers Clearly label the sections Front page and table of contents Each page header and footer Each section, part Emphasize the fact that the pentest was only wiable at the time of testing Write, check, edit, re-read and finalize the report Sanitize tool output for comments by hackers Set off time afterwards to answer questions by the employers
Exec summary Brief overview of the major findings in a high-level fashion Absolute maximum size is two pages Only highlights of the penetration test Exploitable vulnerabilities Describe how the impact affects the business functionality Reference the technical aspects of the exploit/vulnerability No technical details or terminology Written for the employers/executive officers Basically your grandmother should be able to understand what happened under the pentest
Detailed report Comprehensive list of all findings and technical details For each finding refer to technical output Audience is IT-managers, sec.experts, net.admin, and other with significant tech. skills Used to fix the issues presented in the report Order vulnerabilities, descendingly, by which poses the most danger to the network/system Some tools provides default ranking systems If you have an exploited host without significant valuable data, but you re unable to exploit a vulnerable border router. The border router is a far more valuable target than the host and should therefore be displayed before the exploited host Just report the facts and not emphasize any particular item over another
Detailed report Never falsify data or reuse proof-of-concepts Provide proof-of-concepts screenshots for exploits Include mitigating actions addressing the issue/ vulnerability at hand Vital part of the report Helps with repeat business When pentest ends up with no vulns Raw output of tools will provide the intel of your report
Raw output The technical details and raw output from each of the tools used Problem 1: Raw output could be several hundred pages Problem 2: Could reveal the nature of the pentest and the trade secrets of the pentesting, especially when using custom code/tools Could be as simple as outputting the out from tools Be sure to create reference point to be used in the detailed report Decides wether to include the output as a stand-alone report
Next Step Master the basic information and techniques previously described Move on to more advanced tasks Create custom tools/code and harder tasks Learn the tools of the trade Join forums, groups and fellow comrades to OWASP, BackTrack, InfraGuard Join security conferences DefCon, BlackHat Diving into specialized areas of PenTesting Check out syngresses catalog of specific topics Check out boot-camps; expensive, but worth it Education: NSA-accredited Center if Academic Excellence Check out PenTesting methodologies
Other stuff Extra stuff
WiFi Physical pentesting Other tools Setting up pentest lab
WiFi Check out the aircrack-ng suite Needs the use of Atheros wifi card Check out other tools Kismet, netstumbler, Learn to perform WiFi coverage
Physical pentesting Read the book No-Tech Hacking by Johnny Long Superb information on physical pentesting How to crack million dollar systems for 10$ Lockpicking Check out TOOOL DealExtreme has cheap lockpicks and exercise material Spyshop.no has lockpicks too, but expensive and has the same quality
Other tools Wireshark EtterCap AngryIP Scanner Maltego TrueCrypt nmap BackTracker
Setting up pentest lab Check out the guide in Metasploit: The Penetration Testers Guide The Basics of Hacking and penetration testing Online guides
Learn to crack