penetration testing basics

62
Penetration Testing Basics Rick Wanner 2009 Penetration Testing Basics A presentation of The Internet Storm Center, The SANS Institute and The GIAC Certification Program

Upload: rick-wanner

Post on 12-May-2015

9.924 views

Category:

Technology


4 download

DESCRIPTION

A 45 minute presentation originally presented at the SANS COINS event in Regina, SK in March of 2009

TRANSCRIPT

Page 1: Penetration Testing Basics

Penetration Testing Basics Rick Wanner 2009

Penetration Testing Basics

A presentation of The Internet Storm Center,

The SANS Institute andThe GIAC Certification

Program

Page 2: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 2

About Me Rick Wanner B.Sc. I.S.P.

• Client Technology Manager, Security at SaskTel• Areas of expertise

– Secure Network Architecture, Penetration Testing– IDS, Policy Development and compliance

• Masters Student at STI (SANS Technology Institute)• Handler at the Internet Storm Center (isc.sans.org)• Independent contractor/Volunteer with SANS/GIAC• [email protected]

Page 3: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 3

Presentation Overview

• Internet Storm Centre• SANS/GIAC Mini-Briefing• Security Mitigation Strategies

– Penetration Testing

Page 4: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 4

The Internet Storm Center

• The Internet Storm Center acts as a distributed early warning system for the Internet

• The ISC acts as an intermediary with ISPs worldwide.

• The ISC is composed of approximately 40 volunteer handlers which coordinate a group of volunteer intrusion analysts and malware specialists.

• Daily blog/diary published at http://isc.sans.org/• Sponsored by the SANS Institute.

Page 5: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 5

We want your logs!

• The ISCs principal inputs come from Dshield.org and Internet users

• All logs are scrubbed before they are submitted.

Page 6: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 6

SANS Training andGIAC Certifications

• SANS Institute is the leading training organization for system administration, audit, network, security and security management.

• GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.

Page 7: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 7

Today’s Cyber Threats

• Cyber threats have certainly changed since Al Gore invented the internet.

• What started off as an innocuous invention by ARPANET and supported by the U.S. Department of Defense, is now a significant vehicle for conducting business, shopping, banking, researching, communicating, and maintaining vital corporate information

• Unfortunately it’s also a haven for hackers and intrusive malicious code.

Page 8: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 8

The Internet

•The Internet is a community of individuals with its good neighbourhoods and bad neighborhoods.

•In this community the bad neighborhoods are only separated from the good neighbourhoods by at most 150 milliseconds.

Page 9: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 9

The Need for Information Security

• While you are working hard to protect your organization’s critical information and systems, there are others out there who want to compromise it.

• Learning the appropriate actions to secure this information not only benefits your employer, clients, and stockholders, it benefits you.

• In this industry, you don’t want to be the one who learned the hard way.

Page 10: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 10

Security Outlook

• As users get more sophisticated, so do the bad guys.• A CA, Inc. report issued on January 29, 2007 stated that:• In 2006, trojans accounted for 62% of all malware; worms 24%; and

viruses and other types of malware accounted for the remaining 13%.

• CA, Inc predicts that attackers will use blended threats to steal private information and perpetrate other attacks– Phishers are getting smarter– Spam will increase– Targeted attacks will increase– A rise in the use of kernel rootkits– Increased exploitation of browser and application vulnerabilities– Typo-squatting on search engines will increase

– Attacks are increasingly sophisticated.

Page 11: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 11

Penetration Testing

• Penetration testing is discovering vulnerabilities in your networks, systems, applications and data before the bad guys do.

• Penetration testing simulates the generalized attack methodology.

Page 12: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 12

Generalized Attack Methodology

• Reconnaissance• Scanning• Gaining Access• Maintaining Access• Covering Tracks

Page 13: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 13

Penetration Testing Method

• Preparation• Reconnaissance• Scanning• Exploitation• Analysis• Reporting

Page 14: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 14

Preparation

• Define the parameters of the test.– Objectives– Scope– Roles and responsibilities– Limitations– Success factors– Timeline– Documented Permission

Page 15: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 15

Reconnaissance

• Reconnaissance determines…”What can a potential attacker learn about your company?”

• Utilizes publicly available information.

Page 16: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 16

Reconnaissance (2)

• Some sources of information:– Search Engines– Websites– Registrars– SEC– Recruiting sites– Netcraft.com

Page 17: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 17

Reconnaissance (3) - Netcraft

Page 18: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 18

Reconnaissance (4) - Netcraft

Page 19: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 19

Scanning

• Now we know where to look, let’s dig in a little deeper.

• Generally you are going to use two types of scanners, port scanners, and vulnerability scanners.

• The hackers choice:– Nmap– Nessus

Page 20: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 20

Nmap

• Nmap – open sourced port scanner

• Usually start with discovery scans and progress to targeted scans.

• Runs on Windows and *nix.• Available from nmap.org

Page 21: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 21

Nmap Book

Page 22: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 22

Nmap - Reconaissance

• nmap –sL <Address>• nmap –sL

www.telus.net/24• nmap –sL

205.206.163.16/24

Page 23: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 23

Nmap - Discovery

• nmap –F <Address>• nmap –F

192.168.1.0/24

• nmap -top-ports 20 <address>

• nmap -top-ports 20 192.168.1.0/24

Page 24: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 24

Nmap - Targeted

• nmap -F –A <address>• nmap -F –A 192.168.1.200

Page 25: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 25

Vulnerability Scanner

• Nessus –open sourced VA scanner

• Vulnerability feed costs money.

Page 26: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 26

Commercial Vulnerability Scanners

Rapid7 NeXpose

GFI LANguardeEye Retina Network

Page 27: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 27

Application Attacks

• Now we have all these layers of protection. Are you still vulnerable?

• The fact is that you can’t deny what you must permit.

• What about application level attacks?

Page 28: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 28

Cross-Site Scripting

• Allows code injection by malicious web users into the web pages viewed by other users.

• Root cause - lack of input filtering and validation

• Permits attacker to execute arbitrary scripts on the browser

Page 29: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 29

Yahoo's HotJobs site vulnerable to cross-site scripting attack

Dan Kaplan - October 27 2008

Internet research firm Netcraft's toolbar has detected a cross site scripting bug in Yahoo that could be exploited to steal authentication cookies.

The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog post on Sunday.

"The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," Mutton wrote.

The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said.

"Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this," Mutton wrote. "Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised."

Page 30: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 30

Cross-Site Request Forgery (XSRF)

• Unauthorized commands are transmitted from a user that the website trusts.

• Exploitation of an existing web session.

• Embedded code causes unauthorized actions

Page 31: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 31

SQL Injection

• SQL statements are injected into user input to see if a response is returned.

• Results– Authentication Bypass– Unauthorized data access

Page 32: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 32

Preventing Web Application Attacks

• Every input should be validated!• “Suspicion Breeds Confidence”

– Test it!

Page 33: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 33

Nikto

• Open source Linux based web application scanner

• Available at http://www.cirt.net/nikto2

Page 34: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 34

Nikto (2)

• Basic Scanperl nikto.pl –h <host>perl nikto.pl –h 192.168.1.1

• Multiple portsperl nikto.pl –h 192.168.1.1 –p

80,88,443

Page 35: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 35

Nikto – Simple Scan

[root@rwanner nikto]# ./nikto.pl -h localhost- Nikto v2.03/2.04---------------------------------------------------------------------------+ Target IP: 127.0.0.1+ Target Hostname: localhost+ Target Port: 80+ Start Time: 2008-10-27 21:53:47---------------------------------------------------------------------------+ Server: Apache/2.2.6 (Fedora)- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This

message does not mean it is vulnerable to XST.+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.+ OSVDB-682: GET /usage/ : Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting

(XSS). http://www.cert.org/advisories/CA-2000-02.html.+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-

mirror/WhitePaper_screen.pdf for details+ OSVDB-3092: GET /manual/ : Web server manual found.+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons+ OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images+ OSVDB-3233: GET /icons/README : Apache default file found.+ 3577 items checked: 9 item(s) reported on remote host+ End Time: 2008-10-27 21:54:28 (41 seconds)

Page 36: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 36

Nikto (3)

• Multiple hostsperl nikto.pl –h <filename>perl nikto.pl –h hosts.txt

• Hosts file192.168.1.1:80:443192.168.0.200192.168.0.200,443

Page 37: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 37

Nikto – Multiple Hosts Scan

]# ./nikto.pl -h hosts.txt- Nikto v2.03/2.04---------------------------------------------------------------------------+ Target IP: 192.168.1.1+ Target Hostname: 192.168.1.1+ Target Port: 443---------------------------------------------------------------------------+ SSL Info: Ciphers: DES-CBC3-SHA Info: /C=US/ST=California/L=Irvine/O=Cisco-Linksys,

LLC/OU=Division/CN=Linksys/[email protected] Subject: /C=US/ST=California/L=Irvine/O=Cisco-Linksys,

LLC/OU=Division/CN=Linksys/[email protected]+ Start Time: 2008-10-28 21:16:37---------------------------------------------------------------------------+ Server: No banner retrieved

Page 38: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 38

Commercial Web Scanners

IBM Rational AppScanHP Webinspect

Cenzic Hailstorm

Page 39: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 39

Exploitation

• Once you identify a potential vulnerability you have choices:– Can use individual exploits…available via

the Internet– Can use pre-built exploitation frameworks.

• The most popular exploitation framework is Metasploit.– Available for Windows or Linux– Available at http://www.metasploit.com/

Page 40: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 40

Metasploit

• 3 primary components– Exploit

• Stack/Heap based buffer overflow• Insecure coding• PHP vulnerability, IIS Unicode, SQL injection, etc.

– NOP sled (optional - exploit dependent)

– Payload• Shellcode• Encoders• Other (exploit dependent)

Page 41: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 41

Metasploit

#./msfconsole start Metasploitmsf > use windows/dcerpc/ms03_026_dcommsf > setg PAYLOAD windows/execmsf > setg CMD nc –L –p 80 cmd.exemsf > setg RHOST 192.168.0.2msf > exploit

Page 42: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 42

Exploitation Demo

• Patching and Configuration– Lacking patch management procedures– Single inbound port open through

firewall• Results

– Simple remote exploitation– Worm characteristics– Can be used to bypass firewalls

Page 43: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 43

Commercial Tools

Core Impact

Page 44: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 44

Analysis

• When you finish you will have a mountain of data to analyze.

• Break it down by a risk based approach.

Page 45: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 45

Reporting

• Base your report on risk.• Write it so your senior executives

can understand.• Provide recommendation based on

standards or best practices.• Keep the Executive summary short.• Stay away from FUD!

Page 46: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 46

Presentation Summary

• Support the Internet Storm Center (ISC)

• SANS is the best!• Test your servers and

applications... before the bad guys do!

Page 47: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 47

Special Tuition Offer

Because you attended this session, we are offering you 10% discount on tuition for our upcoming Critical infrastructure course in Calgary

Page 48: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 48

COMMUNITY SANS

For details on this special offer, please

contact [email protected]

for further information.

Page 49: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 49

Community SANS in Calgary

Critical Infrastructure Protection in CALGARY

Monday, June 15, 2009 – Wednesday, June 17, 2009

Please use:

Discount Code: COINS10 Discount : 10%

Page 50: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 50

COMMUNITY SANS in REGINA

We are coming back to Regina again next month!!!

April 6-8, 2009Regina Inn –

Hotel & Conference Centre

Security 557 -“Virtualization Security and

Operations”

Page 51: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 51

One CPE Credit

You will receive one CPE credit for attending this

evening.

Page 52: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 52

THANK YOU!!!!

This evening was brought to on behalf of our COMMUNITY OF INTEREST IN NETWORK SECURITY (COINS) program.

Thank you for joining us tonight!

Page 53: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 53

SANS/GIAC Overview

Page 54: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 54

SANS Training andGIAC Certifications

• SANS Institute is the leading training organization for system, audit, network, and security.

• GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.

Page 55: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 55

SANS and GIACGuiding Principles

• Education– Current, Evolving and Proven Material– Certifications that prove you have the

knowledge and skills to get the job done• Hands-On

– Hands-on training conducted by instructors who are experts in their fields

– Testing process that evaluates hands-on capabilities

• Community– Listening and learning to the community’s

needs– Giving vital knowledge back to the

community

Page 56: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 56

How SANS and GIAC Are Different From Other Training/Certifications

• SANS and GIAC constantly update course and certification information to keep you on top of current threats and vulnerabilities.

• We use real-world, hands-on scenarios.• While tools are an important part of IT

security, we teach you and validate actual skills, so you don’t have to solely rely on the performance of a tool.

• The SANS Promise - You will be able to apply our information security training the day you get back to the office.

Page 57: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 57

57

GIAC Certification

GIAC Silver Certifications – Multiple choice exams only

GIAC Gold Certifications – Plus a written technical report

GIAC Platinum Series – Highest certification level

Page 58: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 58

Top 3 Reasons to Earn Your GIAC Certification

1.Hiring managers use GIAC certifications to ensure that candidates actually possess deep technical skills

2.GIAC certifications help IT Security Professionals get promoted faster and earn more money

3.GIAC certification reinforces and affirms the 'hands on' knowledge you possess

Page 59: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 59

What Certified People Say?

"The GIAC certification has enabled me to take the next step in my Information Security career. It allowed me to prove that my value was more than just that of a security minded Sys Admin."–J. Klein, Enterprise Information Systems, Cedars-Sinai Medical Center

"The SANS hands-on experience and the intensive GIAC certification process has garnered me the respect of my boss and peers. Now, when I speak, people listen. I have the confidence to get the job done. My boss looks at me with respect that simply wasn't there before SANS training and GIAC certification. Not only my boss, but managers and peers at other large organizations.“ Matt Carpenter, Enterprise Information Systems

GIAC certifications help IT Security Professionals get promoted faster and earn more money…

Page 60: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 60

GIAC Certifications

• GSEC - Security Essentials

• GCFW - Firewall Analyst• GCIA - Intrusion Analyst• GCIH - Incident Handler• GCFA - Forensics Analyst• GCUX - Unix Security• GCWN - Windows

Security• GNET - . NET• GSOC - Securing Oracle• GSSP-JAVA - Secure

Coding• GSSP-C - Secure Coding

• GISF - Information Security Fundamentals

• GSAE - Security Audit Essentials• GSLC - Security Leadership• GSNA - System & Network Auditor• G7799 - ISO 17799/27001• GISP - Information Security

Professional• GCIM - Incident Manager• GAWN - Auditing Wireless Networks• GREM - Reverse-Engineering

Malware• GPEN - Penetration Tester• GCPM - IT Project Management

For a complete list of GIAC Certificationshttp://www.giac.org/certifications/roadmap.php

Page 61: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 61

Free Resources

• SANS and GIAC have a variety of free resources readily available at www.sans.org and www.giac.org

• Here’s a sample of what we offer:• Internet Storm Center• SANS reading room - http://www.sans.org/reading_room• Top 15 Malicious Spyware Actions• SANS Security Policy Samples • The Internet Guide to Popular Resources on Information Security• FAQ’s• SCORE• Security Tool White Papers and GIAC Gold Papers• Glossary of Security Terms

Page 62: Penetration Testing Basics

Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 62

Questions: [email protected]@giac.org

Thank You!