CSIS 3756 Security Design

CSIS 3756Security Design

Mr. Mark Welton

Penetration Testing Definition, Concepts on Penetration Testing/Hacking What is the difference between Penetration Testing and

Vulnerability Assessment What is the difference between Penetration Testing and

Hacking Anatomy of a Hack How does Pentration Testing differ from the Anatomy of a

Hack

Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.

Using the failure of the system to violate the site security policy is called exploiting the vulnerability

Penetration Testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. – Wikipedia

Penetration Testing is a testing technique for discovering, understanding, and documenting the security holes that can be found in a system.

It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.

Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.

What is the difference between penetration testing and hacking/intrusion?

Definition

Vulnerability Assessment:◦ Typically is general in scope and includes a large assessment.◦ Predictable. ( I know when those darn Security guys scan us.)◦ Unreliable at times and high rate of false positives. (I’ve got a banner) ◦ Vulnerability assessment invites debate among System Admins.◦ Produces a report with mitigation guidelines and action items.

Penetration Testing:◦ Focused in scope and may include targeted attempts to exploit specific

vectors (Both IT and Physical)◦ Unpredictable by the recipient. (Don’t know the “how?” and “when?”)◦ Highly accurate and reliable. (I’ve got root!)◦ Penetration Testing = Proof of Concept against vulnerabilities. ◦ Produces a binary result:  Either the team owned you, or they didn't.

Penetration Testing vs. Vulnerability Assessment

Pen Tester’s have prior approval from Senior Management Hackers have prior approval from themselves.

Pen Tester’s social engineering attacks are there to raise awareness Hackers social engineering attacks are there to trick the DMV into divulging

sensitive information about the whereabouts of their estranged ex-spouse.

Pen Tester’s war driving = geeks driving cars with really long antennas, license plate reading “r00t3d” while dying their hair green looking to discover the hidden, unapproved networks your users thought it would be OK to install for you.

Hackers wireless war driving doesn’t happen so often because 14 year olds typically don’t have their license yet.

Pen-testers have pink mohawks and wear trenchcoats in July.     Hackers have pink mohawks and wear trenchcoats.... that they bought with your

bank account info.

Penetration Testing vs. Hacking

Hacking Methodology

(Steps) Scanning

Footprinting

Enumeration

Gaining Access

Escalating PrivilegePilferting

Covering Tracks

Creating Back Doors

Denial of Service

whois, nslookup

Nmap, fping

dumpACL, showmountlegion, rpcinfo, Nessus

Tcpdump, LophtcrackNAT, Metasploit

Johntheripper, getadmin

Rhosts, userdataConfig files, registry

zap, rootkits

Cron,at, startup foldernetcat, keystroke logger

remote desktop

Synk4, ping of deathtfn/stacheldraht

Information gathering. Sam Spade is window-based network query tool.

Find out target IP address/phone number range◦ Why check phone numbers?

Namespace acquisition. Network Topology (visualRoute). It is essential to a “surgical” attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing

others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).

Defense: deploy NIDS (snort), RotoRouter

Footprinting

Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of

packet sending and randomize the ports or IP addresses to be scanned in the sequence.

Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.

Scanning

Identify valid user accounts or poorly protected resource shares.

Most intrusive probing than scanning step.

Enumeration

Based on the information gathered so far, make an informed attempted to access the target.

Gaining Access

If only user-level access was obtained in the last step, seek to gain complete control of the system.

Escalating Privilege

Webster's Revised Unabridged Dictionary (1913) ◦ Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.]

[OF. pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft.

Gather info on identify mechanisms to allow access of trusted systems.

Pilfering

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, before they react

Covering Tracks

Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

Creating Back Doors

If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

Denial of Services

How does Penetration testing differ?

Scanning

Footprinting

Enumeration

Gaining AccessEscalatin

g PrivilegePilferting

Hacking Methodology

Scanning

Footprinting

Enumeration

Gaining AccessEscalatin

g PrivilegePilferting

Covering TracksCreating

Back DoorsDenial of Service

Penetration TestingMethodology

The good guys usually get some small piece of proof and exit as quietly as they came

You have authority to do it

How does Penetration testing differ?

First, can you do what you want to do where you want to do it?◦ Is a war-dial legal against your own systems

when going through a central office? Make sure you are protected with a “Letter of

Authority”. ◦ Protect yourself with a “Get out of jail” type

letter Encrypt your data. You don’t want to be

liable if your data is compromised

Some Legal issues to consider

Watch, and throttle if necessary, your generated network traffic…Think stealth and covert.

Think through your actions before doing them. Run these tools at your own risk. You are

responsible for what you do.◦ Test them on a stand-alone network with a

network sniffer and review the source code◦ Obtain tools from the source◦ Verify checksums from multiple sources when

applicable

More Lawyer Speak

Be as aggressive as you can and work to be creative. Now is when you can use the “thinking out of the box” classes that we’ve taken.

Don’t get tunnel vision

Are you going to do physical penetrations?◦ Actually trying to break-in, vs◦ Wandering where you shouldn’t

What about “social engineering”?

What are your boundaries?

Application Service Providers (how can you use them?)

Externally hosted resources

Non-company equipment

All need to be addressed with each customer and agree upon.

More Boundaries to Consider

Identify activities, persons, processes, and events that could affect the penetration test:

◦ Network quiet time◦ Major upgrades◦ Layoffs◦ Strikes◦ Administrator’s day off◦ Late at night when the NID monitoring staff is

sleeping

Your advantage?

Coordinating Activities

Before proceeding, decide what perspective your team will take during the exercise.

What will the initial level of access and the amount of information be?◦ Outsider with no previous knowledge◦ Outsider with insider knowledge (with an inside

partner or former insider)◦ Low level insider (end-user)◦ High level insider (system or network

administrator)

What’s your perspective?

A signed letter from the “appropriate person”. This could be an officer, the CIO, owner, etc.

Includes:◦Who will perform the test◦When the test will be performed◦Why the test is being performed◦What types of activities will take place.◦ Includes targeted systems or locations◦ Customer contacts for verification◦ May include reasons to prematurely conclude the

test Request cooperation to minimize notification of your

activities Is legal review of the letter important? May address liability issues

The Authorization Letter

Why would you end your test before the allotted time-frame?

◦ Busted! The customer has detected your activities and sounded the alarm

◦ You’ve caused a negative impact such as a network or system outage

◦ You are not the person to successfully gain access

◦ You uncover such a significant vulnerability that you need to alert the system or network administrators

◦ You were slightly off on your IP addresses◦ You’ve achieved your goal

Premature Termination

Remember, in general, success from your perspective does not equal success from your customer’s perspective.◦ Somebody generally goes home unhappy.◦ Watch morale issues on your team.

The Pen-Test Paradox

Depending on your target, can you obtain a “clone” of the target?

It is often a lot easier to experiment, play, and sometimes destroy a controlled system◦ For example, based on your finger printing results, you’ll

have a pretty good idea of the current configuration. Configure another machine as a clone Borrow or buy a clone system

Turning a black-box pen test into a white-box pen test.

You must have a log-book of every activity that everybody does◦ Electronic or manual, just include the basics of who,

what, when, and how.

Linux “script <filename>” command is a great tool to save your logs for each terminal session. Control-D exits and I use a convenient (but long) filename such as exchpt.gm.2003mar04.

Plan your efforts and communicate continuously with team members.

Almost ready

Everything that goes wrong on the target host, network, or on the Internet from two weeks before you plug in to two weeks after you submit the report will be your fault.

Document everything!

Can you script operations to increase efficiency and reduce errors?

Murphy’s Law