j. a. drew hamilton, jr., ph.d. - mississippi state...

Mississippi State University Center for Cyber Innovation 1

J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation

Professor, Computer Science & Engineering

CCI Post Office Box 9627 Mississippi State, MS 39762

Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]


Penetration Testing

Dr. Drew Hamilton Reference: Elham Hojati, TTU Reference: Dr. Regina Hartley

Reference: Matt Walker All-in-One CEH Certified Ethical Hacker


Section Objectives

•  Describe penetration testing, security assessments, and risk management

•  Define automatic and manual testing •  List the pen test methodology and deliverables


Penetration Test Definition •  A penetration test is an attack on a computer system,

network or Web application to find vulnerabilities that an attacker could exploit with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.

•  Pen tests can be automated with software applications or they can be performed manually.

•  The process includes:

–  gathering information about the target before the test (reconnaissance),

–  identifying possible entry points(Port scanning),

–  attempting to break in (either virtually or for real)

–  reporting back the findings.


Why conduct a penetration test?

•  Prevent data breach

•  Test your security controls

•  Ensure system security

•  Get a baseline

•  Compliance


Penetration Test Steps •  Establish goal •  Information gathering

–  Reconnaissance –  Discovery

•  Port scanning •  Vulnerability scanning

•  Vulnerability analysis –  Taking control

•  Exploitation •  Brute forcing •  Social engineering

–  Pivoting (using one exploit to find another) •  Reporting

–  Evidence collection –  Risk analysis –  Remediation


Pen Test Planning

7

•  Scope •  Internal or external •  In-house or outsourced

•  Selecting a pen-tester (white hat hacker)

•  White hat hacker vs Black hat hacker Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. The term "white hat" in

Internet slang refers to an ethical computer hacker, or a computer security expert, who

specializes in penetration testing and in other testing methodologies to ensure the security of

an organization's information systems


OWASP Methodology

1.  Introduction and Objectives 2.  Information Gathering 3.  Configuration and Deploy Management Testing 4.  Identity Management Testing 5.  Authentication Testing 6.  Authorization Testing 7.  Session Management Testing 8.  Data Validation Testing 9.  Error Handling 10.  Cryptography 11.  Business Logic Testing 12.  Client Side Testing


Penetration Test Step Cycle

•  Step 1: Introduction and

Objectives

•  Step 2: Information gathering

•  Step 3: Vulnerability analysis

•  Step 4: Simulation (Penetrate

the system to provide the

proof)

•  Step 5: Risk assessment

•  Step 6: Recommendations for

reduction or recovery and

providing the report


Pen Test Tools: Kali Linux •  Kali Linux is a Debian-derived Linux distribution, designed for digital

forensics and penetration testing. •  Kali Linux is preinstalled with numerous penetration-testing programs. •  Kali Linux can be run from a hard disk, live CD, or live USB. It is a

supported platform of the Metasploit Project's Metasploit Framework, a tool for developing and executing security exploits.

•  From the creators of BackTrack comes Kali Linux, the most advanced penetration testing distribution created till now.


Maltego •  Maltego is an open source intelligence and forensics application. •  It will offer you gathering of information as well as the representation

of this information in an easy to understand format.


WHOIS SERVICE

•  WHOIS is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system

•  It is also used for a wider range of other information. •  The protocol stores and delivers database content in a human-

readable format. –  Open a command line terminal in Kali Linux and type whois <target> for

example: whois google.com –  Type ping yahoo.com and find the IP address of yahoo. –  type whois <yahoo IP address> –  Go to the link http://www.iana.org/whois and

type google.com –  Go to the link http://www.whois.net/ and

type www.google.com


Vega

•  Vega is a free and open source scanner and testing platform to test the security of web applications.

•  Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities.

•  It is written in Java, GUI based, and runs on Linux, OS X, and Windows

13


Other Pen Testing Tools •  Metasploit (previously discussed) •  Codenomicon

–  toolkit for automated penetration testing that, according to the provider, eliminates unnecessary ad hoc manual testing.

•  Core Impact –  tests everything from web applications and individual

systems to network devices and wireless (a vulnerability management function is found in their Core Insight product).

•  CANVAS –  From Immunity Security CANVAS makes available

hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development


Safety Note from Matt Walker

•  There’s an important point here for you on anything illegal you might stumble across: do not copy any of it to your own devices under any circumstances. –  In the case of child porn, possession itself is a crime. –  Sandia Lab pen testing –  Classified material

•  Again, this job puts you in strange places, and you had better have a process defined to handle everything from pirated software to porn to illegal activity.


Pen Test Report Components •  An executive summary of the organization’s

overall security posture. –  (If you are testing under the auspices of FISMA,

DIACAP, RMF, HIPAA, or some other standard, this summary will be tailored to the standard.)

–  The names of all participants and the dates of all tests. •  A list of findings, usually presented in order of

highest risk. •  An analysis of each finding and recommended

mitigation steps (if available). •  Log files and other evidence from your toolset.

–  This evidence should include tons of screenshots, because that’s what customers seem to want.

Matt Walker

Mississippi State University Center for Cyber Innovation 17 17

Pen Testing Threats

•  Many of the tools used by hackers can be used for good or evil

•  For the purposes of the book, if a tool is used by black hats it is called hacking, if it is used by white hats then it’s ethical hacking or penetration testing


Threats or Pen Test Tools?

•  General Threats –  Script Kiddies –  Trojans –  Backdoors –  DDoS attacks –  OS fingerprinting –  DoS attacks –  Man-in-the-Middle –  Mail bombing –  War dialing –  Ping of Death –  Fake Login Screens –  Teardrop attack –  Traffic analysis –  Slamming and cramming


Operating System Scanning

•  Operating System Scanning 1.  Find out what systems are running (ping sweep) 2.  Port scan the hosts 3.  Correlate the services that are running 4.  Run a vulnerability scan


Wrappers

•  An additional layer of protection can be applied in Unix-like systems by using “wrappers”

•  Information gathering –  Browsing – a general technique used by technique used

by intruders to obtain information they are not authorized to access

•  Perusing file listings on devices •  Dumpster diving •  Shoulder surfing


Sniffers

•  A network sniffer is a tool that monitors traffic as it traverses a network –  Also referred to as network analyzers or protocol

analyzers –  Runs with the NIC in promiscuous mode

•  Secure versions of services and protocols should be used when possible in order to combat sniffers –  Example: Secure RPC (S-RPC): uses Diffie-Hellman

public key cryptography to determine the shared secret key

–  R-utilities (rlogin, rexec, rsh, rcp) in Unix all have several weaknesses and should be replaced by a service that requires stronger authentication such as secure shell


Session Hijacking

•  Session Hijacking –  Can be countered with IPSec or Kerberos

•  Loki attack –  Uses ICMP protocol for covert channel communications –  Writes data behind the ICMP header (which is designed

for status and error messages) –  Successful because ICMP is not typically scanned by

firewalls


Password Cracking

•  Password Cracking –  Static passwords are the technique of choice,

both for familiarity and cost reasons –  Easily cracked, other options would be smart

cards or biometrics (at a greater cost) –  Password cracking tools (i.e.: John the Ripper,

Crack, Ophcrack) attack encoded hashes –  Dictionary or brute force attacks on stolen

password files (rainbow tables not addressed) –  Strong password policies: at least 8

characters, upper case, lower case, at least 2 special characters


Backdoors

•  A backdoor is a program that is installed by an attacker to enable them to come back into the computer at a later date without having to supply login credentials or go through any type of authorization process –  Such behaviors can often be detected by host-based

intrusion detection systems


Vulnerability Testing

•  Goals of a vulnerability testing assessment –  Evaluate the true security posture of an environment

(minimize false positives) –  Identify as many vulnerabilities as possible with honest

evaluations and prioritization of each –  Test how systems react to certain circumstances and

attacks, to learn not only what the known vulnerabilities are (given a specific operating environment), but also how the unique elements of the environment might be abused (such as SQL injection attacks, buffer overflows, and process design flaws that facilitate social engineering)


Written Agreement

•  Highlighted caution: Before carrying out vulnerability testing, a written agreement fro management is required! This protects the tester against prosecution for doing his job, and ensures there are no misunderstandings by providing in writing what the tester should – and should not – do.


Personnel Testing

•  Personnel testing: includes reviewing employee tasks and thus identifying vulnerabilities in the standard practices and procedures that employees are instructed to follow, demonstrating social engineering attacks and the value of training users to detect and resist such attacks, and reviewing employee policies and procedures to ensure those security risks that cannot be reduced through physical and logical controls are met with the final control category (Administrative)


Physical Testing •  Physical testing: includes reviewing facility and

perimeter protection mechanisms. For example do the doors automatically close and an alarm sound if the door is open too long? Are interior protection mechanisms of server rooms, wiring closets, sensitive systems, and assets appropriate? Is dumpster diving a threat? What of protection mechanisms for manmade, natural, or technical threats? Is there a fire suppression system? Are sensitive electronics kept above raised floors so they survive a minor flood?


System and Network Testing

•  Systems and network testing: perhaps what most people think of when discussing information security vulnerability testing. For efficiency, an automated scanning product identifies known system vulnerabilities, and some may (if management has signed off on the performance impact and the risk of disruption) attempt to exploit vulnerabilities


Prevention Testing

•  Penetration Testing: the process of simulating attacks on a network and its systems at the request of the owner or senior management –  Measures an organization’s level of resistance to an

attack and uncovers weaknesses within their environment

–  Foundation is established by a vulnerability scan


Get Out of Jail Free

•  Highlighted note: A “Get Out of Jail Free Card” is a document you can present to someone who thinks you are up to something malicious, when in fact you are carrying out an approved test.

•  There have been many situations in which an individual (or a team) was carrying out a penetration test and was approached by a security guard or someone who thought this person was in the wrong place at the wrong time


Pen Test Process

The process steps of a penetration test: 1.  Discovery: Footprinting and information

gathering 2.  Enumeration: Port scans and resource

identification 3.  Vulnerability mapping: Identifying

vulnerabilities 4.  Exploitation: Gaining unauthorized access 5.  Reporting: Documentation and suggestions

to management


Types of Pen Tests

•  Types of tests –  Zero knowledge v. partial knowledge (advance

knowledge of the tester) –  Blind, double-blind, or targeted (use of public

knowledge or targeted knowledge, and whether the staff is aware)


Vulnerability Targets

•  Vulnerability targets –  Kernel flaws: fixed by patching –  Buffer overflows: fixed by defensive

programming and developer education –  Symbolic links: fixed by requiring scripts to

ensure use of fully qualified paths –  File descriptor attacks: fixed by defensive

programming and developer education –  Race conditions: fixed by defensive

programming and developer education –  File and directory permissions: fixed by use of

file integrity checkers


Operations Security


Ec-Council: Certified Ethical Hacker


CEH Certification 5 Day Bootcamp


https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/


Summary - Section Objectives

•  Describe penetration testing, security assessments, and risk management

•  Define automatic and manual testing •  List the pen test methodology and deliverables

j. a. drew hamilton, jr., ph.d. - mississippi state...

Documents