Penetrate TestingOutline of The TalkDefinitionMore Thorough Penetration StudyHacking Methodology (Steps)FootprintingScanningEnumerationGaining AccessEscalating PrivilegePilferingCovering TracksCreating Back DoorsDenial of ServicesNessus: Integrated Security Scanning ToolSlide 16Slide 17Slide 18Slide 19Slide 20Slide 21Setting up Backdoor ConnectionSetup NetcatSetup FPIPETelnet to the relay hostLayering of TestsSlide 271cs691chowC. Edward ChowC. Edward ChowPenetrate Testing Penetrate Testing2cs691chowOutline of The TalkOutline of The TalkDefinition, Concepts on Penetration Testing/HackingAnatomy of a HackFramework for penetration studiesSkills and Requirements of a Penetration TesterSAN list of Security HolesInternet PenetrationDial up PenetrationInternal PenetrationReferences:Chapter 23 Vulnerability Analysis, by Matt Bishop.Hack I.T, Security Through Penetration Testing, by T.J. Klevinksy, Scott Laliberte, Ajay Gupta.Hacking Exposed, by Stuart McClure, Joel Scambray and George Kurtzhttp://www.hackingexposed.com/win2k/links.html3cs691chowDefinitionDefinitionVulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management. Using the failure of the system to violate the site security policy is called exploiting the vulnerabilityPenetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them.Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system. It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.What is the difference between penetration testing and hacking/intrusion?Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management. Using the failure of the system to violate the site security policy is called exploiting the vulnerabilityPenetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them.Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system. It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.What is the difference between penetration testing and hacking/intrusion?4cs691chowMore Thorough Penetration StudyMore Thorough Penetration StudyA more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implemenation.A simple list of vulnerabilities , although helpful in closing those specific holes, contribute far less to the security of a system.In practice, constrains (resource, money, time) affect the penetration studyA more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implemenation.A simple list of vulnerabilities , although helpful in closing those specific holes, contribute far less to the security of a system.In practice, constrains (resource, money, time) affect the penetration study5cs691chowHacking Methodology (Steps) Hacking Methodology (Steps) An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.ScanningFootprintingEnumerationGaining AccessEscalating PrivilegePilfertingCovering TracksCreating Back DoorsDenial of Servicewhois, nslookupNmap, fpingdumpACL, showmountlegion, rpcinfoTcpdump, LophtcrackNATJohntheripper, getadminRhosts, userdataConfig files, registryzap, rootkitsCron,at, startup foldernetcat, keystroke loggerremote desktopSynk4, ping of deathtfn/stacheldraht6cs691chowFootprintingFootprintingInformation gathering. Sam Spade is window-based network query tool.Find out target IP address/phone number rangeWhy check phone numbers?Namespace acquisition. Network Topology (visualRoute).It is essential to a “surgical” attack.The key here is not to miss any details.Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).Defense: deploy NIDS (snort), RotoRouterInformation gathering. Sam Spade is window-based network query tool.Find out target IP address/phone number rangeWhy check phone numbers?Namespace acquisition. Network Topology (visualRoute).It is essential to a “surgical” attack.The key here is not to miss any details.Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).Defense: deploy NIDS (snort), RotoRouterTechniques Open Source searchFind domain name, admin, IP addresses name serversDNS zone transferTools Google, search engine, EdgarWhois(Network solution; arin)Nslookup (ls –d)digSam Spade7cs691chowScanningScanningBulk Target assessmentWhich machine is up and what ports (services) are openFocus on most promising avenues of entry.To avoid being detect, these tools can reduce frequency of packet sending and randomize the ports or