Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Similar documents
Phishing. Eugene Davis UAH Information Security Club April 11, 2013

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Ethical Hacking and Prevention

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Basics of executing a penetration test

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

NETWORK PENETRATION TESTING

Principles of ICT Systems and Data Security

Security Solutions. Overview. Business Needs

Ethical Hacking & Information Security. Justin David G. Pineda Asia Pacific College

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Curso: Ethical Hacking and Countermeasures

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

CEH v8 - Certified Ethical Hacker. Course Outline. CEH v8 - Certified Ethical Hacker. 12 May 2018

V8 - CEH v8 - Certified Ethical Hacker. Course Outline. CEH v8 - Certified Ethical Hacker. 03 Feb 2018

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

5. Execute the attack and obtain unauthorized access to the system.

INNOV-09 How to Keep Hackers Out of your Web Application

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Web Applications Penetration Testing

A Model for Penetration Testing

CEH v8 - Certified Ethical Hacker. Course Outline. CEH v8 - Certified Ethical Hacker. 15 Jan

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

TexSaw Penetration Te st in g

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

ISDP 2018 Industry Skill Development Program In association with

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

CPTE: Certified Penetration Testing Engineer

Pearson: Certified Ethical Hacker Version 9. Course Outline. Pearson: Certified Ethical Hacker Version 9.

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Access Controls. CISSP Guide to Security Essentials Chapter 2

ECCouncil Certified Ethical Hacker. Download Full Version :

Mobile MOUSe HACKING REVEALED ONLINE COURSE OUTLINE

ANATOMY OF AN ATTACK!

Term 2 Grade 12 -Project Task 2 Teachers Guidelines Ethical Hacking Picture 1 Picture 2

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

Exam Questions v8

Chapter 4. Network Security. Part I

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Certified Ethical Hacker (CEH)

GCIH. GIAC Certified Incident Handler.

Certified Vulnerability Assessor

epldt Web Builder Security March 2017

Chapter 10: Security and Ethical Challenges of E-Business

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Penetration testing using Kali Linux - Network Discovery

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Solutions Business Manager Web Application Security Assessment

Understanding Perimeter Security

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Dumpswheel. Exam : v10. Title : Certified Ethical Hacker Exam ( CEH v 10) Vendor : EC-COUNCIL. Version : DEMO.

Security Audit What Why

SECURITY TESTING. Towards a safer web world

5 IT security hot topics How safe are you?

Advanced Diploma on Information Security

Audience. Pre-Requisites

How NOT To Get Hacked

Handbook. Step by step practical hacking training

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Cyber Moving Targets. Yashar Dehkan Asl

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

RiskSense Attack Surface Validation for Web Applications

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Cyber Security Practice Questions. Varying Difficulty

SANS Exam SEC504 Hacker Tools, Techniques, Exploits and Incident Handling Version: 7.1 [ Total Questions: 328 ]

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

CSWAE Certified Secure Web Application Engineer

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Home Computer and Internet User Security

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Security Issues and Best Practices for Water Facilities

Certified Secure Web Application Engineer

Introduction to Ethical Hacking. Chapter 1

Ethical Hacking and Countermeasures V7

A (sample) computerized system for publishing the daily currency exchange rates

Campus Network Design

Online Intensive Ethical Hacking Training

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

CNT4406/5412 Network Security Introduction

C1: Define Security Requirements

EC-Council - EC-Council Certified Security Analyst (ECSA) v8

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

hidden vulnerabilities

Nmap & Metasploit. Chun-Jen (James) Chung. Arizona State University

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering

Transcription:

Introduction to Penetration Testing: Part One Eugene Davis UAH Information Security Club February 21, 2013

Ethical Considerations: Pen Testing Ethics of penetration testing center on integrity (ISC)² Code Of Ethics Cannons Protect society, the common good, necessary public trust and confidence, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Advance and protect the profession Maintain privacy and confidentiality Acquire written permission from appropriate authorities before performing pen testing on systems Nathan O'Neal 2 of 24

What is Pen Testing? Penetration Testing, a.k.a ethical hacking Uses the same techniques as hackers to find weaknesses in systems Testing can be done by employees of an organization or by trusted third parties Can be broken down into phases of attack Eugene Davis 3 of 24

Phase 1: Reconnaissance Finding information about a target Can learn about the assets on the target's network Network structure and potential vulnerabilities are of especial value Most organizations leak a large amount of data on a regular basis Requires a strict policy to prevent it Eugene Davis 4 of 24

Info from the Web and Trash Websites might have documents meant for internal consumption Employees post questions on forums revealing sensitive network details Dumpster diving can turn up passwords, old CDs, manuals and more Especially vulnerable when an employ is moving Eugene Davis 5 of 24

Social Engineering Most common is talking your way in Acting like you belong is key Uniforms can help Spoofing phone numbers Make the call report an internal number Ask like you've forgotten something or are a new hire Eugene Davis 6 of 24

Defenses User education Monitor what information is allowed online Have firm policies about destroying media Strictly enforce ID checking if your organization requires it Eugene Davis 7 of 24

Phase 2: Scanning the Target Search for open access points into the network Scanning is an active form of reconnaissance Determine what open ports are on a system and firewall Looks for vulnerabilities on the systems in the network Eugene Davis 8 of 24

War Dialing Some users still attach modems to their computers for easy remote access War dialing is targeting the block of telephone numbers assigned to an organization Generally uses automated software capable of checking thousands of numbers in a few hours A successful connection results in direct access to the computer Eugene Davis 9 of 24

War Driving With a laptop, GPS, and a chauffeured car an attacker can search for open wireless access points Many users do not setup encryption on their wireless networks In a city, this may turn up dozens, even hundreds of unencrypted or WEP encrypted access points in a short time Eugene Davis 10 of 24

Scanning Tools Port scanners reveal what TCP ports will respond to attempted connections Firewalk is a technique to see what ports are open in a firewall Vulnerability Scanners search for exploitable vulnerabilities on the network Eugene Davis 11 of 24

Nmap Uses Nmap, or Network Mapper, scans IPs to detect open ports Can attempt to detect the service on a port, even the version Is capable of discovering some operating systems Can also perform some network mapping Eugene Davis 12 of 24

Nmap Examples Perform a ping scan to see what hosts are on the network: nmap -sn 192.168.0.1/24 Scan for OS and version for a particular target nmap -A -T4 192.168.0.122 Scan UDP ports with fragmented packets nmap -su -f 192.168.0.124 And far, far more Eugene Davis 13 of 24

Firewalk and Nessus Firewalk maps a network from a remote location By using traceroute, it can determine at what point a firewall kicks in Can determine what ports are being blocked by a firewall Nessus is a proprietary (with a non-commercial free version) vulnerability scanner This looks for known vulnerabilities on the area being scanned, and alerts the initiator of the scan Eugene Davis 14 of 24

Phase 3: Exploits and Compromises The attacker gains control of machines on the target network Operating system attacks allow control over individual systems Network attacks can reveal methods to control many machines on the network DoS attacks take machines or services offline Eugene Davis 15 of 24

Operating System Attacks Buffer overflow exploits can allow remote code execution Password guessing is an obvious method for gaining control Malicious web applications and scripts may seize control SQL injection commonly targets servers Eugene Davis 16 of 24

Buffer Overflow Exploits Stack Buffer Overflow (smashing the stack) Overwrite a local variable near the buffer to alter the execution of the program Change the stored return address after function execution allowing for the possibility of arbitrary code to be executed Heap Buffer Overflow Just as dangerous at Stack Buffer Overflows Used to overwrite function pointers that exist in memory, pointing it back to the attackers code Also allows access to user data within the scope of the program Nathan O'Neal 17 of 24

Automating the Exploit Process Identifying individual vulnerabilities on a target and knowing which exploit to use is time consuming Tools such as Metasploit can be used to automate the process Metasploit will map vulnerabilities that were found (even by other tools such as Nmap and Nessus) to the appropriate exploit within Metasploit Metasploit lists exploits in best-to-worst likelihood of success, thus saving time in choosing which attack to launch against a target system Nathan O'Neal 18 of 24

Automating the Exploit Process Nathan O'Neal 19 of 24

Password Guessing Brute force The most widely known attack that tries to use every possible character combination as a password Account Harvesting Involves the gathering of email addresses and possible user names from various sources on the internet These can then be used in a phishing attack against an individual target to try and obtain more personal information If you are told that the user name is valid/invalid, guessing becomes easier Both of these processes are usually automated Current versions of Backtrack contain tools used in both types of attacks Nathan O'Neal 20 of 24

Compromising the Web Browser Cross-Site Scripting (XSS) Malicious scripts are injected into trusted websites, generally in the form of a browser side script, and sent to another end user The end user's browser will then execute the malicious script SQL Injection Allows an attacker to spoof their identity and alter, insert or delete data from a database Allows for the complete disclosure of all data on the system Attacker can become administrator of the server Nathan O'Neal 21 of 24

Defenses Employ the use of strong passwords Keep systems updated and patched with the latest fixes Use an Intrusion Detection System (IDS) Use parameterized SQL Nathan O'Neal 22 of 24

References and Links CounterHack Reloaded by Ed Skoudis Nmap - http://nmap.org/ Firewalk - http://packetstormsecurity.com/unix/audit/firewalk/ Nessus Vulnerability Scanner - http://www.tenable.com/products/nessus (ISC)² Code Of Ethics - https://www.isc2.org/ethics/default.aspx EC-Council - http://www.eccouncil.org Open Web Application Security Project (OWASP) - https://www.owasp.org Eugene Davis 23 of 24

License This content is available under the Creative Commons Attribution NonCommercial ShareAlike 3.0 United States License Eugene Davis 24 of 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback