J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering

Size: px

Start display at page:

Download "J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering"

Christopher Norris
5 years ago
Views:

1 J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering CCI Post Office Box 9627 Mississippi State, MS Voice: (662) Fax: (662) Mississippi State University Center for Cyber Innovation 1

2 Penetration Testing Dr. Drew Hamilton Reference: Elham Hojati, TTU Reference: Dr. Regina Hartley Reference: Matt Walker All-in-One CEH Certified Ethical Hacker Mississippi State University Center for Cyber Innovation 2

3 Section Objectives Describe penetration testing, security assessments, and risk management Define automatic and manual testing List the pen test methodology and deliverables Mississippi State University Center for Cyber Innovation 3

4 Penetration Test Definition A penetration test is an attack on a computer system, network or Web application to find vulnerabilities that an attacker could exploit with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data. Pen tests can be automated with software applications or they can be performed manually. The process includes: gathering information about the target before the test (reconnaissance), identifying possible entry points(port scanning), attempting to break in (either virtually or for real) reporting back the findings. Mississippi State University Center for Cyber Innovation 4

5 Why conduct a penetration test? Prevent data breach Test your security controls Ensure system security Get a baseline Compliance Mississippi State University Center for Cyber Innovation 5

6 Establish goal Information gathering Reconnaissance Discovery Penetration Test Steps Port scanning Vulnerability scanning Vulnerability analysis Taking control Exploitation Brute forcing Social engineering Pivoting (using one exploit to find another) Reporting Evidence collection Risk analysis Remediation Mississippi State University Center for Cyber Innovation 6

The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration

7 Scope Internal or external In-house or outsourced Pen Test Planning Selecting a pen-tester (white hat hacker) White hat hacker vs Black hat hacker Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems Mississippi State University Center for Cyber Innovation 7 7

8 OWASP Methodology 1. Introduction and Objectives 2. Information Gathering 3. Configuration and Deploy Management Testing 4. Identity Management Testing 5. Authentication Testing 6. Authorization Testing 7. Session Management Testing 8. Data Validation Testing 9. Error Handling 10. Cryptography 11. Business Logic Testing 12. Client Side Testing Mississippi State University Center for Cyber Innovation 8

Penetration Test Step Cycle Step 1: Introduction and Objectives Step 2: Information gathering Step 3: Vulnerability analysis Step 4: Simulation (Penetrate the system to

9 Penetration Test Step Cycle Step 1: Introduction and Objectives Step 2: Information gathering Step 3: Vulnerability analysis Step 4: Simulation (Penetrate the system to provide the proof) Step 5: Risk assessment Step 6: Recommendations for reduction or recovery and providing the report Mississippi State University Center for Cyber Innovation 9

10 Pen Test Tools: Kali Linux Kali Linux is a Debian-derived Linux distribution, designed for digital forensics and penetration testing. Kali Linux is preinstalled with numerous penetration-testing programs. Kali Linux can be run from a hard disk, live CD, or live USB. It is a supported platform of the Metasploit Project's Metasploit Framework, a tool for developing and executing security exploits. From the creators of BackTrack comes Kali Linux, the most advanced penetration testing distribution created till now. Mississippi State University Center for Cyber Innovation 10

11 Maltego Maltego is an open source intelligence and forensics application. It will offer you gathering of information as well as the representation of this information in an easy to understand format. Mississippi State University Center for Cyber Innovation 11

WHOIS SERVICE WHOIS is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an

Open a command line terminal in Kali Linux and type whois <target> for example: whois google.com Type ping yahoo.com and find the IP address of yahoo.

12 WHOIS SERVICE WHOIS is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system It is also used for a wider range of other information. The protocol stores and delivers database content in a humanreadable format. Open a command line terminal in Kali Linux and type whois <target> for example: whois google.com Type ping yahoo.com and find the IP address of yahoo. type whois <yahoo IP address> Go to the link and type google.com Go to the link and type Mississippi State University Center for Cyber Innovation 12

13 Vega Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows Mississippi State University Center for Cyber Innovation 13 13

14 Other Pen Testing Tools Metasploit (previously discussed) Codenomicon toolkit for automated penetration testing that, according to the provider, eliminates unnecessary ad hoc manual testing. Core Impact tests everything from web applications and individual systems to network devices and wireless (a vulnerability management function is found in their Core Insight product). CANVAS From Immunity Security CANVAS makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development Mississippi State University Center for Cyber Innovation 14

15 Safety Note from Matt Walker There s an important point here for you on anything illegal you might stumble across: do not copy any of it to your own devices under any circumstances. In the case of child porn, possession itself is a crime. Sandia Lab pen testing Classified material Again, this job puts you in strange places, and you had better have a process defined to handle everything from pirated software to porn to illegal activity. Mississippi State University Center for Cyber Innovation 15

16 Pen Test Report Components An executive summary of the organization s overall security posture. (If you are testing under the auspices of FISMA, DIACAP, RMF, HIPAA, or some other standard, this summary will be tailored to the standard.) The names of all participants and the dates of all tests. A list of findings, usually presented in order of highest risk. An analysis of each finding and recommended mitigation steps (if available). Log files and other evidence from your toolset. This evidence should include tons of screenshots, because that s what customers seem to want. Matt Walker Mississippi State University Center for Cyber Innovation 16

17 Pen Testing Threats Many of the tools used by hackers can be used for good or evil For the purposes of the book, if a tool is used by black hats it is called hacking, if it is used by white hats then it s ethical hacking or penetration testing Mississippi State University Center for Cyber Innovation 17 17

18 Threats or Pen Test Tools? General Threats Script Kiddies Trojans Backdoors DDoS attacks OS fingerprinting DoS attacks Man-in-the-Middle Mail bombing War dialing Ping of Death Fake Login Screens Teardrop attack Traffic analysis Slamming and cramming Mississippi State University Center for Cyber Innovation 18 18

19 Operating System Scanning Operating System Scanning 1. Find out what systems are running (ping sweep) 2. Port scan the hosts 3. Correlate the services that are running 4. Run a vulnerability scan Mississippi State University Center for Cyber Innovation 19 19

20 Wrappers An additional layer of protection can be applied in Unix-like systems by using wrappers Information gathering Browsing a general technique used by technique used by intruders to obtain information they are not authorized to access Perusing file listings on devices Dumpster diving Shoulder surfing Mississippi State University Center for Cyber Innovation 20 20

21 Sniffers A network sniffer is a tool that monitors traffic as it traverses a network Also referred to as network analyzers or protocol analyzers Runs with the NIC in promiscuous mode Secure versions of services and protocols should be used when possible in order to combat sniffers Example: Secure RPC (S-RPC): uses Diffie-Hellman public key cryptography to determine the shared secret key R-utilities (rlogin, rexec, rsh, rcp) in Unix all have several weaknesses and should be replaced by a service that requires stronger authentication such as secure shell Mississippi State University Center for Cyber Innovation 21 21

22 Session Hijacking Session Hijacking Can be countered with IPSec or Kerberos Loki attack Uses ICMP protocol for covert channel communications Writes data behind the ICMP header (which is designed for status and error messages) Successful because ICMP is not typically scanned by firewalls Mississippi State University Center for Cyber Innovation 22 22

23 Password Cracking Password Cracking Static passwords are the technique of choice, both for familiarity and cost reasons Easily cracked, other options would be smart cards or biometrics (at a greater cost) Password cracking tools (i.e.: John the Ripper, Crack, Ophcrack) attack encoded hashes Dictionary or brute force attacks on stolen password files (rainbow tables not addressed) Strong password policies: at least 8 characters, upper case, lower case, at least 2 special characters Mississippi State University Center for Cyber Innovation 23 23

24 Backdoors A backdoor is a program that is installed by an attacker to enable them to come back into the computer at a later date without having to supply login credentials or go through any type of authorization process Such behaviors can often be detected by host-based intrusion detection systems Mississippi State University Center for Cyber Innovation 24 24

25 Vulnerability Testing Goals of a vulnerability testing assessment Evaluate the true security posture of an environment (minimize false positives) Identify as many vulnerabilities as possible with honest evaluations and prioritization of each Test how systems react to certain circumstances and attacks, to learn not only what the known vulnerabilities are (given a specific operating environment), but also how the unique elements of the environment might be abused (such as SQL injection attacks, buffer overflows, and process design flaws that facilitate social engineering) Mississippi State University Center for Cyber Innovation 25 25

26 Written Agreement Highlighted caution: Before carrying out vulnerability testing, a written agreement fro management is required! This protects the tester against prosecution for doing his job, and ensures there are no misunderstandings by providing in writing what the tester should and should not do. Mississippi State University Center for Cyber Innovation 26 26

27 Personnel Testing Personnel testing: includes reviewing employee tasks and thus identifying vulnerabilities in the standard practices and procedures that employees are instructed to follow, demonstrating social engineering attacks and the value of training users to detect and resist such attacks, and reviewing employee policies and procedures to ensure those security risks that cannot be reduced through physical and logical controls are met with the final control category (Administrative) Mississippi State University Center for Cyber Innovation 27 27

28 Physical Testing Physical testing: includes reviewing facility and perimeter protection mechanisms. For example do the doors automatically close and an alarm sound if the door is open too long? Are interior protection mechanisms of server rooms, wiring closets, sensitive systems, and assets appropriate? Is dumpster diving a threat? What of protection mechanisms for manmade, natural, or technical threats? Is there a fire suppression system? Are sensitive electronics kept above raised floors so they survive a minor flood? Mississippi State University Center for Cyber Innovation 28 28

29 System and Network Testing Systems and network testing: perhaps what most people think of when discussing information security vulnerability testing. For efficiency, an automated scanning product identifies known system vulnerabilities, and some may (if management has signed off on the performance impact and the risk of disruption) attempt to exploit vulnerabilities Mississippi State University Center for Cyber Innovation 29 29

30 Prevention Testing Penetration Testing: the process of simulating attacks on a network and its systems at the request of the owner or senior management Measures an organization s level of resistance to an attack and uncovers weaknesses within their environment Foundation is established by a vulnerability scan Mississippi State University Center for Cyber Innovation 30 30

31 Get Out of Jail Free Highlighted note: A Get Out of Jail Free Card is a document you can present to someone who thinks you are up to something malicious, when in fact you are carrying out an approved test. There have been many situations in which an individual (or a team) was carrying out a penetration test and was approached by a security guard or someone who thought this person was in the wrong place at the wrong time Mississippi State University Center for Cyber Innovation 31 31

32 Pen Test Process The process steps of a penetration test: 1. Discovery: Footprinting and information gathering 2. Enumeration: Port scans and resource identification 3. Vulnerability mapping: Identifying vulnerabilities 4. Exploitation: Gaining unauthorized access 5. Reporting: Documentation and suggestions to management Mississippi State University Center for Cyber Innovation 32 32

33 Types of Pen Tests Types of tests Zero knowledge v. partial knowledge (advance knowledge of the tester) Blind, double-blind, or targeted (use of public knowledge or targeted knowledge, and whether the staff is aware) Mississippi State University Center for Cyber Innovation 33 33

34 Vulnerability Targets Vulnerability targets Kernel flaws: fixed by patching Buffer overflows: fixed by defensive programming and developer education Symbolic links: fixed by requiring scripts to ensure use of fully qualified paths File descriptor attacks: fixed by defensive programming and developer education Race conditions: fixed by defensive programming and developer education File and directory permissions: fixed by use of file integrity checkers Mississippi State University Center for Cyber Innovation 34 34

35 Operations Security Mississippi State University Center for Cyber Innovation 35 35

36 Ec-Council: Certified Ethical Hacker Mississippi State University Center for Cyber Innovation 36

37 CEH Certification 5 Day Bootcamp Mississippi State University Center for Cyber Innovation 37

38 certified-ethical-hacker-ceh/ Mississippi State University Center for Cyber Innovation 38

39 Summary - Section Objectives Describe penetration testing, security assessments, and risk management Define automatic and manual testing List the pen test methodology and deliverables Mississippi State University Center for Cyber Innovation 39

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker NH9000 Certified Ethical Hacker 104 Total Hours COURSE TITLE: Certified Ethical Hacker COURSE OVERVIEW: This class will immerse the student into an interactive environment where they will be shown how