Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer network wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Network tap wikipedia , lookup
Distributed firewall wikipedia , lookup
Airborne Networking wikipedia , lookup
Zero-configuration networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Cross-site scripting wikipedia , lookup
A Discussion In Penetration Testing Marcial White Introduction • • • • Definition of “Hacker” White Hat vs. Black Hat Open Source Methodologies Penetration Testing Concepts • What is a penetration test? – Public Image – Border Networks – Interior Networks • What do they produce? – What don’t they produce? • How extensive are they? • White Box vs. Black Box Methodology Overview • Footprinting – – – – • • • • • Search Engine Hacking Social Engineering White Box Footprinting Black Box Footprinting Network Enumeration Gaining Access to the Network Escalating Privileges Covering Your Tail Retaining Control – Rogue User Accounts • If All Else Fails … • Some Defenses Google Hacking • Zero-footprint profiling of the target • Start with the simple stuff – Company Name • Do popularity searches on the people you find in the first search • Look for important looking people • A full list of operators available at – http://www.google.com/help/operators.html • http://johnny.ihackstuff.com • For example, “filetype:txt inurl:robots site:whitehouse.gov “ Social Engineering • “The practical application of sociological principles to particular social problems” (http://www.dictionary.com) • “the practice of obtaining confidential information by manipulation of legitimate users” (Wikipedia) • Examples: Lord Nikon and Cereal Killah from Hackers (the most realistic hacking movie ever). • Relying on people not reading the EULAs – the Microsoft PLUS! Scheme. • Kevin Mitnick: The Art of Deception & The Art of Intrusion White Box Footprinting • Consult the existing network diagram • Scan the network • Compare results – Find running services – Find live hosts • fping, ICMPenum, Ethereal – Record hops between an interior host and the border of the network (traceroute) • WhoIs Black Box Footprinting • What do you know? – Most get a single IP to start with • Find out what you can on that IP • WhoIs it? – – – – – http://www.centralops.net http://www.samspade.org NSLookup Visual Route Email Tracker PRO (wooptyfriggindo) • Often times more systems will be found than were reported. Document everything. Enumerate the Network • Overlaps a bit of the footprinting … • NMap is your friend – XMAS Scan • nmap –sX host.com – A successful XMAS scan will find one of two things » A closed port on a host will reply with RST » Open ports will lay conspicuously silent. – Fe3d for documentation • nmap –oX filename.xml host.com Nmap XMAS Scan Fe3d Gaining Access … • Sniff passwords with a protocol analyzer • • • • Ethereal Etherpeek TCPDump Snort • Nessus • NASL • NT Info Scan • ReadSMB Escalating Privileges • Be SILENT! • Brute Force Tools • John The Ripper • Cain and Abel • L0phtCrack • Trojan\Back doors • Netbus “Remote Administration and Spy Tool” • Man in the Middle Attacks • Inherent TCP/IP flaws – Three Way Handshakes – Packet Headers – ARP » Ettercap • Unix\Linux rhosts files • Usually located at ~/.rhosts » Recommended permissions: 600 + HostName -HostName +@NetGroup -@NetGroup • Also of interest: /etc/host.equiv » Allows remote machines to execute commands on the local machine • Windows LSA Secrets • Older Windows machines (NT 3.51 – 4.0) • Dumps various LSA secrets such as service passwords (plain text), cached password hashes of the last users to login to a machine, FTP, WEB, etc. plaintext passwords, RAS dial up account names, passwords etc, workstation passwords for domain access, etc. Covering your tail • • • • • It’s all in the configuration Command history ftp/telnet/ssh/etc logs Dynamically generated routing tables Logging daemons • klogd • metalog » Look in /var/log/, /etc/, /usr/bin • Hide your tools • Hidden files • Obscure naming convention • *nix » /.rootkits » Veto files » Burying the files • *doze: » Hidden system files » Burying the files Keeping your doors open • Creating rogue user accounts • Permissions » RWXRWXRWX » Groups » Creating accounts called “tty” • Windows Administrator • Retaining control • cron jobs • Keyloggers » Regload » LKL Still can’t get in? • Denial of service? » Yes! …. I mean, no! • Resource Consumption » Attempts to use finite resources (memory, CPU, file handling) • Poor programming » Vulnerable variables, which usually lead to more serious vulnerabilities » Ex: “The Register” HTML variables (exposed to phishing attacks http://wheresthebeef.co.uk/show.php/xss/clicknbuild.html) Conclusion • … people suck. • Do your homework. • Be cool. Stay in school. • Questions? • [email protected]