Slide 1

Penetration Testing

Slide 2

What is Penetration Testing? AKA Pentesting An attack on a computer system with the intention of finding security weaknesses. Performed by sysadmins or trusted agents.

Slide 3

How is this different from hacking? Black-hat hackers violate computer security for maliciousness or personal gain. White-hat hackers break security for non-malicious purposes, usually when performing authorized security tests. Grey-hat hackers rationalize that they are acting moral when they are not. e.g.: Breaking into systems for fun, then emailing the sysadmin to tell them about the security hole.

Slide 4

What are the goals of Pentesting? Discover network or application vulnerabilities. Determine feasibility of particular set of attack vectors. Assess the magnitude of business& operational impacts of a successful attack. Test capability of network defenses.

Slide 5

Successful attacks against govt computers, as reported to CERT* *US-Computer Emergency Response Team

Slide 6

Attempted attacks Pentagon: 10,000,000 attempts each day Natl Nuclear Security Agency: 10,000,000/day From the same document... Michigan: 120,000 attacher per day U.K. 120,000 attacks per day Utah: 20,000,000 attacks each day Multiple definitions of attack & attempt? Do not blindly believe any numbers you read.

Slide 7

5 Phases of a network attack 1. Reconnaissance 2. Scanning 3. Penetration 4. Covering Tracks 5. Maintaining Access Pentesting generally focuses on Steps 1-3

Slide 8

Reconnaissance Collecting data on the target passively. Multiple interpretations: 1. sending no electrons to the target network, or 2. only sending electrons through means that are normally authorized, such as reading the public website. Common means: Google whois

Slide 9

Reconnaissance nslookup www.usna.edu IP address Server name http://www.whois.net, search for usna.edu Physical address Name of sysadmins (people with root access) Names/IP of DNS servers

Slide 10

Reconnaissance nslookup www.usna.edu IP address Server name http://www.whois.net, search for usna.edu Physical address Name of sysadmins (people with root access) Names/IP of DNS servers

Slide 11

Reconnaissance Google for URL prefixes (different servers) site:usna.edu site:usna.edu www.usna.edu site:usna.edu www.usna.edu libguides.usna.edu... Run nslookup to find name/IP of each server nslookup libguides.usna.edu nslookup aisweb.usna.edu

Slide 12

Reconnaissance URLIPServer Name www.usna.edu136.160.88.139webster-new.dmz.usna.edu libguides.usna.edu174.132.16.38libguides.com aisweb.usna.edu136.160.88.133aeisenhower.dmz.usna.edu library.usna.edu136.160.88.140library.usna.edu lists.usna.edu136.160.89.10lists.usna.edu Exercise: In 10 minutes, find out as much as you can about the USMA network.

Slide 13

Scanning Collecting data on the target by sending packets at it. Find existence of hosts at IP addresses. Find open ports on hosts. Detemine versions of services on hosts. Determine OS of host. Tends to be noisy (lots of packets) May be construed as an attack. Never do this without written permission.

Slide 14

Scanning nmap is the #1 scanning tool Network Mapper 1. Host Discovery nmap sn 10.10.1.0/24 # Determine which IPs are online Exercise: what messages does nmap send for this command? arp, TCP SYN to ports 80, 443, 53 nmap sL 10.10.1.0/24 # List IPs only Exercise: what messages does nmap send for this command? None

Slide 15

Scanning 1. Host Discovery (cont) using extra ports in scan: nmap sn PS22-25 10.10.1.0/24 # TCP SYN Ping Exercise: what mechanism does nmap use for this command? arp, TCP to ports 22-25

Slide 16

Scanning 2. Enumerate Open Ports: # List of ports & protocols by usage less /usr/share/nmap/nmap-service # Selects only the 5 top ports from this file nmap -top-ports 5 10.10.1.10 nmap 10.10.1.10 # TCP SYN Scan (default, same as sS) # SYN only, never sends ACK or reset. # Stealthy, since not logged, but can consume targets resources.

Slide 17

Scanning 2. Enumerate Open Ports (cont): nmap sT 10.10.1.10 # TCP Connect Scan # SYN/SYN-ACK/ACK-Reset # Gets logged, less likely to crash target server. nmap sA 10.10.1.10 # TCP ACK Scan # Send ACK to a host we are not talking to. # Host may reply by sending a Reset to indicate there is no connection.

Slide 18

Scanning 3. Version detection: nmap sV 10.10.1.10 # Enables service versioning 4. OS detection: nmap O 10.10.1.10 # Enables OS detection nmap O -osscan-guess 10.10.1.10 nmap O -fuzzy 10.10.1.10

Slide 19

Pentest admin Signed agreement. Get out of jail free card. Never send any electrons to the target network without one Scope range if IPs, type of tests, etc. Damage control Indemnification In-house vs. Outsourced Trust? Can a sysadmin reasonably pentest their own network?