Penetration Testing & CountermeasuresSecurity Penetration ServicesAnnounced vs. Unannounced Penetration TestingRules of EngagementPenetration Testing PhasesFootprintingScanning/Probing: nmapScanning/Probing: nessusEnumeration: hackbotGaining Access: packet capturesPhysical AccessWireless SecurityCounter Measures 1Counter Measures 2Counter Measures 3Future ImprovementsDemo: Retina Network Security ScannerBibliographyPenetration Testing & CountermeasuresPaul Fong & Cai YuCS6915 May 2003Security Penetration ServicesGoal: help organizations secure their systemsSkill set: equivalent to system administratorsRecord keeping & ethicsAnnounced vs. Unannounced Penetration TestingAnnounced testingProsEfficientTeam orientedConsHoles may be fixed as discovered & block further penetrationFalse sense of securityUnannounced testingProsGreater range of testingConsResponse may block further penetrationRequires strict escalation processImpact operationsRules of EngagementType of attacks allowed (no DoS)Off-limits machines & files (passwords)Designated machines or networksTest PlanContactsPenetration Testing PhasesFootprintScanning/ProbingEnumerationGain AccessEscalate PrivilegesExploitCover TracksCreate BackdoorsFootprintingProfile target passivelyAddress blocksInternet IP addressesAdministratorsTechniquesGooglingWhois lookupsScanning/Probing: nmapActive probingNMAPPort scannerwww.insecure.orgDiscovers:Available HostsPorts (services)OS & versionFirewallsPacket filtersScanning/Probing: nessuswww.nessus.orgVulnerability scanningCommon configuration errorsDefault configuration weaknessesWell-known vulnerabilitiesEnumeration: hackbotIdentify accounts, files & resourcesWs.obit.nl/hackbotFinds:CGIServicesX connection checkGaining Access: packet capturesEavesdroppingEthereal, www.ethereal.comPhysical AccessBoot loader & BIOS vulnerabilitiesGRUB loaderNo passwordAllows hacker to boot into single-user w/root accessPassword crackersJohn the RipperCrackWireless SecurityWar driving with directional antennaWired Equivalent Privacy (WEP) vulnerabilitiesPenetration Tools:WEPcrackAirSnortCounter Measures 1Update latest patches.Change default settings/optionsSetup password and protect your password file.Install anti-virus software and keep it updated.Counter Measures 2Install only required softwares, open only required ports.Maintain a good backup.Set BIOS password, system loader password, or other passwords that necessary.Have a good emergency plan.Counter Measures 3Monitor your system if possible.Have a good administrator.Future ImprovementsCorrection of weaknesses uncovered by the penetration exerciseAutomate and customize the penetration test processUse of intrusion detection systemsUse of honeypots and honeynetsDemo: Retina Network Security ScannerCreated by eEye Digital Security, Retina Network Security Scanner is recognized as the #1 rated network vulnerability assessment scanner by Network World magazine. Retina sets the standard in terms of speed, ease of use, reporting, non-intrusiveness and advanced vulnerability detection capabilities. Retina incorporates the most comprehensive and up-to-date vulnerabilities database -- automatically downloaded at the beginning of every Retina session.BibliographyKlevinsky, et. al. Hack I.T.-Security Through Penetration Testing. ISBN 0-201-71956-8.McClure, et. al. Hacking Exposed: Network Security Secrets and Solutions, 2nd edition, ISBN 0-07-222742-7.Sage, Scott & Lear, Lt. Col. Tom. “A Penetration Analysis of UCCS Network Lab Machines,” March, 2003. UCCS course CS691c.Warren Kruse, et. al. Computer Forensics. ISBN 0-201-70719-5Ed Skoudis, et. al. Counter Hack. ISBN 0-13-033273-9Lance Spitzner, et. al. Honeypots. ISBN 0-321-10895-7Retina network security scanner,