j. a. drew hamilton, jr., ph.d. - mississippi state...
TRANSCRIPT
Mississippi State University Center for Cyber Innovation 1
J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation
Professor, Computer Science & Engineering
CCI Post Office Box 9627 Mississippi State, MS 39762
Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]
Mississippi State University Center for Cyber Innovation 2
Penetration Testing
Dr. Drew Hamilton Reference: Elham Hojati, TTU Reference: Dr. Regina Hartley
Reference: Matt Walker All-in-One CEH Certified Ethical Hacker
Mississippi State University Center for Cyber Innovation 3
Section Objectives
• Describe penetration testing, security assessments, and risk management
• Define automatic and manual testing • List the pen test methodology and deliverables
Mississippi State University Center for Cyber Innovation 4
Penetration Test Definition • A penetration test is an attack on a computer system,
network or Web application to find vulnerabilities that an attacker could exploit with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.
• Pen tests can be automated with software applications or they can be performed manually.
• The process includes:
– gathering information about the target before the test (reconnaissance),
– identifying possible entry points(Port scanning),
– attempting to break in (either virtually or for real)
– reporting back the findings.
Mississippi State University Center for Cyber Innovation 5
Why conduct a penetration test?
• Prevent data breach
• Test your security controls
• Ensure system security
• Get a baseline
• Compliance
Mississippi State University Center for Cyber Innovation 6
Penetration Test Steps • Establish goal • Information gathering
– Reconnaissance – Discovery
• Port scanning • Vulnerability scanning
• Vulnerability analysis – Taking control
• Exploitation • Brute forcing • Social engineering
– Pivoting (using one exploit to find another) • Reporting
– Evidence collection – Risk analysis – Remediation
Mississippi State University Center for Cyber Innovation 7
Pen Test Planning
7
• Scope • Internal or external • In-house or outsourced
• Selecting a pen-tester (white hat hacker)
• White hat hacker vs Black hat hacker Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. The term "white hat" in
Internet slang refers to an ethical computer hacker, or a computer security expert, who
specializes in penetration testing and in other testing methodologies to ensure the security of
an organization's information systems
Mississippi State University Center for Cyber Innovation 8
OWASP Methodology
1. Introduction and Objectives 2. Information Gathering 3. Configuration and Deploy Management Testing 4. Identity Management Testing 5. Authentication Testing 6. Authorization Testing 7. Session Management Testing 8. Data Validation Testing 9. Error Handling 10. Cryptography 11. Business Logic Testing 12. Client Side Testing
Mississippi State University Center for Cyber Innovation 9
Penetration Test Step Cycle
• Step 1: Introduction and
Objectives
• Step 2: Information gathering
• Step 3: Vulnerability analysis
• Step 4: Simulation (Penetrate
the system to provide the
proof)
• Step 5: Risk assessment
• Step 6: Recommendations for
reduction or recovery and
providing the report
Mississippi State University Center for Cyber Innovation 10
Pen Test Tools: Kali Linux • Kali Linux is a Debian-derived Linux distribution, designed for digital
forensics and penetration testing. • Kali Linux is preinstalled with numerous penetration-testing programs. • Kali Linux can be run from a hard disk, live CD, or live USB. It is a
supported platform of the Metasploit Project's Metasploit Framework, a tool for developing and executing security exploits.
• From the creators of BackTrack comes Kali Linux, the most advanced penetration testing distribution created till now.
Mississippi State University Center for Cyber Innovation 11
Maltego • Maltego is an open source intelligence and forensics application. • It will offer you gathering of information as well as the representation
of this information in an easy to understand format.
Mississippi State University Center for Cyber Innovation 12
WHOIS SERVICE
• WHOIS is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system
• It is also used for a wider range of other information. • The protocol stores and delivers database content in a human-
readable format. – Open a command line terminal in Kali Linux and type whois <target> for
example: whois google.com – Type ping yahoo.com and find the IP address of yahoo. – type whois <yahoo IP address> – Go to the link http://www.iana.org/whois and
type google.com – Go to the link http://www.whois.net/ and
type www.google.com
Mississippi State University Center for Cyber Innovation 13
Vega
• Vega is a free and open source scanner and testing platform to test the security of web applications.
• Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities.
• It is written in Java, GUI based, and runs on Linux, OS X, and Windows
13
Mississippi State University Center for Cyber Innovation 14
Other Pen Testing Tools • Metasploit (previously discussed) • Codenomicon
– toolkit for automated penetration testing that, according to the provider, eliminates unnecessary ad hoc manual testing.
• Core Impact – tests everything from web applications and individual
systems to network devices and wireless (a vulnerability management function is found in their Core Insight product).
• CANVAS – From Immunity Security CANVAS makes available
hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development
Mississippi State University Center for Cyber Innovation 15
Safety Note from Matt Walker
• There’s an important point here for you on anything illegal you might stumble across: do not copy any of it to your own devices under any circumstances. – In the case of child porn, possession itself is a crime. – Sandia Lab pen testing – Classified material
• Again, this job puts you in strange places, and you had better have a process defined to handle everything from pirated software to porn to illegal activity.
Mississippi State University Center for Cyber Innovation 16
Pen Test Report Components • An executive summary of the organization’s
overall security posture. – (If you are testing under the auspices of FISMA,
DIACAP, RMF, HIPAA, or some other standard, this summary will be tailored to the standard.)
– The names of all participants and the dates of all tests. • A list of findings, usually presented in order of
highest risk. • An analysis of each finding and recommended
mitigation steps (if available). • Log files and other evidence from your toolset.
– This evidence should include tons of screenshots, because that’s what customers seem to want.
Matt Walker
Mississippi State University Center for Cyber Innovation 17 17
Pen Testing Threats
• Many of the tools used by hackers can be used for good or evil
• For the purposes of the book, if a tool is used by black hats it is called hacking, if it is used by white hats then it’s ethical hacking or penetration testing
Mississippi State University Center for Cyber Innovation 18 18
Threats or Pen Test Tools?
• General Threats – Script Kiddies – Trojans – Backdoors – DDoS attacks – OS fingerprinting – DoS attacks – Man-in-the-Middle – Mail bombing – War dialing – Ping of Death – Fake Login Screens – Teardrop attack – Traffic analysis – Slamming and cramming
Mississippi State University Center for Cyber Innovation 19 19
Operating System Scanning
• Operating System Scanning 1. Find out what systems are running (ping sweep) 2. Port scan the hosts 3. Correlate the services that are running 4. Run a vulnerability scan
Mississippi State University Center for Cyber Innovation 20 20
Wrappers
• An additional layer of protection can be applied in Unix-like systems by using “wrappers”
• Information gathering – Browsing – a general technique used by technique used
by intruders to obtain information they are not authorized to access
• Perusing file listings on devices • Dumpster diving • Shoulder surfing
Mississippi State University Center for Cyber Innovation 21 21
Sniffers
• A network sniffer is a tool that monitors traffic as it traverses a network – Also referred to as network analyzers or protocol
analyzers – Runs with the NIC in promiscuous mode
• Secure versions of services and protocols should be used when possible in order to combat sniffers – Example: Secure RPC (S-RPC): uses Diffie-Hellman
public key cryptography to determine the shared secret key
– R-utilities (rlogin, rexec, rsh, rcp) in Unix all have several weaknesses and should be replaced by a service that requires stronger authentication such as secure shell
Mississippi State University Center for Cyber Innovation 22 22
Session Hijacking
• Session Hijacking – Can be countered with IPSec or Kerberos
• Loki attack – Uses ICMP protocol for covert channel communications – Writes data behind the ICMP header (which is designed
for status and error messages) – Successful because ICMP is not typically scanned by
firewalls
Mississippi State University Center for Cyber Innovation 23 23
Password Cracking
• Password Cracking – Static passwords are the technique of choice,
both for familiarity and cost reasons – Easily cracked, other options would be smart
cards or biometrics (at a greater cost) – Password cracking tools (i.e.: John the Ripper,
Crack, Ophcrack) attack encoded hashes – Dictionary or brute force attacks on stolen
password files (rainbow tables not addressed) – Strong password policies: at least 8
characters, upper case, lower case, at least 2 special characters
Mississippi State University Center for Cyber Innovation 24 24
Backdoors
• A backdoor is a program that is installed by an attacker to enable them to come back into the computer at a later date without having to supply login credentials or go through any type of authorization process – Such behaviors can often be detected by host-based
intrusion detection systems
Mississippi State University Center for Cyber Innovation 25 25
Vulnerability Testing
• Goals of a vulnerability testing assessment – Evaluate the true security posture of an environment
(minimize false positives) – Identify as many vulnerabilities as possible with honest
evaluations and prioritization of each – Test how systems react to certain circumstances and
attacks, to learn not only what the known vulnerabilities are (given a specific operating environment), but also how the unique elements of the environment might be abused (such as SQL injection attacks, buffer overflows, and process design flaws that facilitate social engineering)
Mississippi State University Center for Cyber Innovation 26 26
Written Agreement
• Highlighted caution: Before carrying out vulnerability testing, a written agreement fro management is required! This protects the tester against prosecution for doing his job, and ensures there are no misunderstandings by providing in writing what the tester should – and should not – do.
Mississippi State University Center for Cyber Innovation 27 27
Personnel Testing
• Personnel testing: includes reviewing employee tasks and thus identifying vulnerabilities in the standard practices and procedures that employees are instructed to follow, demonstrating social engineering attacks and the value of training users to detect and resist such attacks, and reviewing employee policies and procedures to ensure those security risks that cannot be reduced through physical and logical controls are met with the final control category (Administrative)
Mississippi State University Center for Cyber Innovation 28 28
Physical Testing • Physical testing: includes reviewing facility and
perimeter protection mechanisms. For example do the doors automatically close and an alarm sound if the door is open too long? Are interior protection mechanisms of server rooms, wiring closets, sensitive systems, and assets appropriate? Is dumpster diving a threat? What of protection mechanisms for manmade, natural, or technical threats? Is there a fire suppression system? Are sensitive electronics kept above raised floors so they survive a minor flood?
Mississippi State University Center for Cyber Innovation 29 29
System and Network Testing
• Systems and network testing: perhaps what most people think of when discussing information security vulnerability testing. For efficiency, an automated scanning product identifies known system vulnerabilities, and some may (if management has signed off on the performance impact and the risk of disruption) attempt to exploit vulnerabilities
Mississippi State University Center for Cyber Innovation 30 30
Prevention Testing
• Penetration Testing: the process of simulating attacks on a network and its systems at the request of the owner or senior management – Measures an organization’s level of resistance to an
attack and uncovers weaknesses within their environment
– Foundation is established by a vulnerability scan
Mississippi State University Center for Cyber Innovation 31 31
Get Out of Jail Free
• Highlighted note: A “Get Out of Jail Free Card” is a document you can present to someone who thinks you are up to something malicious, when in fact you are carrying out an approved test.
• There have been many situations in which an individual (or a team) was carrying out a penetration test and was approached by a security guard or someone who thought this person was in the wrong place at the wrong time
Mississippi State University Center for Cyber Innovation 32 32
Pen Test Process
The process steps of a penetration test: 1. Discovery: Footprinting and information
gathering 2. Enumeration: Port scans and resource
identification 3. Vulnerability mapping: Identifying
vulnerabilities 4. Exploitation: Gaining unauthorized access 5. Reporting: Documentation and suggestions
to management
Mississippi State University Center for Cyber Innovation 33 33
Types of Pen Tests
• Types of tests – Zero knowledge v. partial knowledge (advance
knowledge of the tester) – Blind, double-blind, or targeted (use of public
knowledge or targeted knowledge, and whether the staff is aware)
Mississippi State University Center for Cyber Innovation 34 34
Vulnerability Targets
• Vulnerability targets – Kernel flaws: fixed by patching – Buffer overflows: fixed by defensive
programming and developer education – Symbolic links: fixed by requiring scripts to
ensure use of fully qualified paths – File descriptor attacks: fixed by defensive
programming and developer education – Race conditions: fixed by defensive
programming and developer education – File and directory permissions: fixed by use of
file integrity checkers
Mississippi State University Center for Cyber Innovation 35 35
Operations Security
Mississippi State University Center for Cyber Innovation 36
Ec-Council: Certified Ethical Hacker
Mississippi State University Center for Cyber Innovation 37
CEH Certification 5 Day Bootcamp
Mississippi State University Center for Cyber Innovation 38
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
Mississippi State University Center for Cyber Innovation 39
Summary - Section Objectives
• Describe penetration testing, security assessments, and risk management
• Define automatic and manual testing • List the pen test methodology and deliverables