Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology
Agenda <ul><li>Introduction to penetration testing </li></ul><ul><li>Lab scenario </li></ul><ul><li>Lab setup </li></ul><u...
Penetration Testing <ul><li>Actively assess network security measures </li></ul><ul><li>Possibly reduce costs by uncoverin...
Lab Scenario <ul><li>Mission: </li></ul><ul><li>You have been hired by Acme & Burdell to attempt to break into their netwo...
 
Steps Involved <ul><li>Reconnaissance (Find the target IP address) </li></ul><ul><li>Vulnerability Scanning </li></ul><ul>...
Reconnaissance <ul><li>You are given the web address: </li></ul><ul><li>www.acmeandburdell.com </li></ul><ul><li>Find the ...
Vulnerability Scanning <ul><li>Use your favorite network scanner(s) to scan the IP address range for potential holes </li>...
<ul><li>Based on the results of scanning choose a vulnerable target </li></ul><ul><li>Be sure to do a full port range scan...
<ul><li>If you got in, you should assume that someone else may have done so before.  What might they have left behind? </l...
Cracking Passwords <ul><li>If you broke into a Linux machine, get the password file and try to crack as many passwords as ...
Alternate Ways of Getting in <ul><li>Each vulnerable machine is set up to allow multiple ways for getting in. You will get...
Lab Setup <ul><li>Dynamic Setup changing every couple of days. You have to choose a slot of two days to complete the lab. ...
Lab Setup <ul><li>Four Virtual Machines with different vulnerabilities.  </li></ul><ul><li>Only one will be running at any...
Lab Setup <ul><li>VM1: </li></ul><ul><ul><li>OS: Red Hat 7.2 </li></ul></ul><ul><ul><li>IMAP-d exploit enabled </li></ul><...
Lab Setup <ul><li>VM2: </li></ul><ul><ul><li>OS: Redhat 7.2 </li></ul></ul><ul><ul><li>ICMP Server exploit enabled </li></...
Lab Setup  <ul><li>VM3: </li></ul><ul><ul><li>OS: Windows XP (No Security patch) </li></ul></ul><ul><ul><li>DCOM exploit e...
Lab Setup  <ul><li>VM4: </li></ul><ul><ul><li>OS: Win XP with Security patch  </li></ul></ul><ul><ul><li>B02k (Running on ...
Lab Setup <ul><li>Decoy 1 (Always running): </li></ul><ul><ul><li>OS: WinXP with DCOM Security patch </li></ul></ul><ul><u...
Lab Setup <ul><li>Decoy 2 </li></ul><ul><ul><li>OS: Red Hat 7.2 </li></ul></ul><ul><ul><li>Http, ftp, telnet, ssh ports op...
New Tools for Behind the Scenes <ul><li>DCOM Security Patch: From Microsoft’s website http://www.microsoft.com/technet/sec...
Conclusions <ul><li>Challenges the students to try out different things, not just follow instructions </li></ul><ul><li>Co...
Upcoming SlideShare
Loading in...5
×

Security Penetration Lecture

334

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
334
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Legal and Ethical Aspects of Computer Hacking ECE4883 – Internetwork Security Georgia Institute of Technology
  • In class today, the following topics will be addressed with respect to the legal and ethical aspects of computer hacking. First we will address the following questions about hacking: What is hacking? The difference between good hacking, bad hacking, and dangerous hacking What are hackers? The different types of hackers, novice, experts, dangerous Do Hackers have morals? Are there morals in hacking? Should companies hire experts to compromise their security to identify vulnerabilities? Where do hackers learn how to hack? Do hacking schools exist? Should there be hacking schools? Should there be classes, like this one? Where can you find hacking schools? Are these schools ethical and legal? Secondly, we will look into several types of policies currently in place for hacking: The United States code title 18 Georgia Computer Systems Protection Act HB 822 Patriot Act Homeland Security Georgia Institute of Technology Computer and Network Usage Policy What types of policies are in place? How do they differ from each other? What kind of defined lines are there? Should these be there? Are they clear enough? We will then look into some Ethical and Legal constraints of hacking: How easy is it to catch hackers? How many hackers have been caught? Are these policies good enough? Do they define the limits of “hacking”? Can companies hack into their own systems and find vulnerabilities? Can other find vulnerabilities for them without being asked to?
  • Hacking can mean many things. What do you believe hacking is? It is the perception of who is being asked. Hacking Is an event where one enjoys learning the details of a computer system Is a culture where people find their computer and its surroundings fascinating. Is the process of creating a new program or making changes to existing programs using complicated software History: Introduced publicly by Farmer and Venema in December of 1993 through a post on Usenet. They discussed the idea of using the techniques of an intruder to evaluate a system. They gave examples of how this can help companies and organizations through the various attempts they had made to check the vulnerabilities in a system. They further gave descriptions of how to get such data about the vulnerabilities, gain control of the targeted system, and ways to prevent such attacks from happening all together. They then choose to freely distribute their program called Security analysis Tool for Auditing Networks, SATAN. This piece of software, free to download, took the time consuming, complex tools and packaged it all together in an user-friendly application. SATAN provided two main functions: an audit of the system and solutions for the vulnerabilities. “ Hacking is art!” was the statement of most hackers who wanted to distinguish themselves from the malicious coders.
  • There are three different categories of hacking. The first is good hacking. Good hacking consists of programmers who work on a software to improve the performance of a certain task. This includes hacking into a company with permission for a job. A security professional falls under this category. The second is bad hacking. Bad hacking consists of less careful programmers who accidentally cause damage to a system or files. This group includes young kids who do not completely understand the program they are using. The third is dangerous hacking. Dangerous hacking is an attempt by a professional to intentionally damage a system or files without permission.
  • Hacking has rules! Yes, there are morals for hacking. First of all, Ethical Hacking: This is when a ethical hacker is hired or employed by an organization. These tiger teams use the same tools and techniques an intruder may use. But no damage would be caused to the system. Security evaluations and reports will in turn help the company find the vulnerabilities in their system. Secondly, inform the owner of the PC, system, or files who you are going to hack. Finally, if you are having fun, cause no harm!
  • What is Hacktivism? (Gift of Fire, page 289) Hactivism is the use of hacking to promote a political cause. These activities consist of: Pro-drug messages posted on anti-drug websites without permission Downloading files from an atomic research center to protest testing of nuclear weapons Denial of service attacks It is also defined as a modern form of civil disobedience Non-violence behavior Many before disapproved of societal ways and hence came the civil revolution, freedom for many Some consider it as cyber-terrorism. It also becomes a cover for pranks and serious activities Hard to define and identify
  • Hacking came about when availability of computers increased. However, access for many was limited. Computer intrusions began where the most damage was the theft of computer time. Eventually, these intrusions were noticed and instead of using an accurate term “computer criminals”, the media used the term “hacker” to introduce a group of individuals who break into computers for fun, revenge or for profit. Of course, once upon a time, hacker was used as a compliment, many changed the term to “cracker” or “intruder” Hackers: In the early days of computing: Creative programmer who have fun coding and writing clever programs People who do cool things with their computers for free. Intellectuals who enjoy coding and their computer tools. Computer virtuosos! Outside the Social mainstream society. Interested in learning and challenges Hackers: In the developing days of computing: Irresponsible, destructive criminals. Breaking into systems without permission Responsible for leashing out harmful viruses, stealing sensitive information, destroying important information, and disrupting businesses. Overall are considered as a threat!
  • Hackers: today A mixture of the early and developing days hackers A variety of skills are possessed between the different types of hackers: Novice Hackers: These hackers are not aware of all the different techniques available for hackers. They are not sure for most part how the code works. They just take someone else’s code, modify it a little if they feel like it, and then let it loose. They make lots of mistakes. Sometimes committing crimes by mistake. They aren’t really respected and all called Newbies among experienced hackers. Crackers: Crackers are experienced hackers who intentionally harm or disrupt a system. They understand the software or hardware they are hacking into and understand the type of code they have created. Expert Hackers: Hackers are believed to be able to develop tools to search widely and quickly for a particular weakness or vulnerability in a system and move quickly to reveal those vulnerabilities and weaknesses. Dangerous Hackers: Dangerous hackers are those from within the company or an organization. These people have full access to different types of information and can access it without any problems. These can either be ex-employees or current co-workers. They know the vulnerabilities of a system since they see it day in and day out! Ethical Hackers: These are known to be trustworthy since they deal with the most sensitive information for a company. They also have strong programming and networking skills. They are usually the “pros” of their business as they are aware of the new and old topics of their industry. Therefore, they are familiar with all types of operating systems, especially the more popular ones. They also have a great deal of knowledge on different types of popular hardware and software commonly used. In addition, their systems management skills also contribute to their understanding of the various systems. Finally, they keep up with the “current” changing environments with much patience. They have also probably published research papers or open source security software
  • Why should Hackers Hack? Do they want to hurt someone? Or are they helping someone? Do they not have morals? Hackers do have morals. They believe that they are the Internet’s Robin Hoods. They believe in helping those whose systems are vulnerable. SO they hack and find those weaknesses. Now what they do with that information defines more clearly the difference between Hackers and Crackers. Hackers find such vulnerabilities and ethically return those weaknesses to the system owners. They give solutions and techniques of securing such vulnerabilities. Crackers find such vulnerabilities and sometimes can manipulate information and disrupt an organization’s daily business. They can sometimes destroy important information or the system. What’s in it for them? Nothing, the pleasure, the learning experience? It could be any of these. It could be the Robin Hood in them wanting to help others. Many believe their actions have resulted in tighter security as many more companies attempt to secure their systems. Better software is developed as many hackers find flaws and find solutions for software and systems.
  • Learning to hack: Learning hacking techniques, as state in the slides above, was first introduced in 1993. Many companies believe that these tools are necessary to strengthen their own systems. However, many more object in hiring professional hackers who have previously found vulnerabilities in other systems, especially those who did this without permission. So how do you get the best security professionals? Train them, teach them, send them to school! Hacking schools and classes both exist. For instance, a class like this one teaches concepts, ideas, and implementations of various techniques a “hacker” may use. Who should teach these classes? Other hackers? Technical schools like this? The government? Well, the answer is all of the above. In fact, hackers have opened up schools, more tech schools are offering classes like these, the government is also training their employees, and so are organizations of all sizes. How else can one secure oneself from vulnerabilities?
  • Security Penetration Lecture

    1. 1. Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology
    2. 2. Agenda <ul><li>Introduction to penetration testing </li></ul><ul><li>Lab scenario </li></ul><ul><li>Lab setup </li></ul><ul><li>New Additions </li></ul><ul><li>Conclusions </li></ul>
    3. 3. Penetration Testing <ul><li>Actively assess network security measures </li></ul><ul><li>Possibly reduce costs by uncovering vulnerabilities before suffering consequences. </li></ul><ul><li>Black Box Vs White Box </li></ul><ul><li>External Vs Internal </li></ul>
    4. 4. Lab Scenario <ul><li>Mission: </li></ul><ul><li>You have been hired by Acme & Burdell to attempt to break into their network. </li></ul><ul><ul><li>Acme & Burdell has allowed you to break into their network throughout dead week. However, the network admins at Acme & Burdell cannot agree on a single setup for their network. Thus they change their network setup every two days. If you want to break in, you’ll have do it within a couple of days. Are you ready? </li></ul></ul>
    5. 6. Steps Involved <ul><li>Reconnaissance (Find the target IP address) </li></ul><ul><li>Vulnerability Scanning </li></ul><ul><li>Choosing a target and getting in </li></ul><ul><li>Maintaining Access (Look for Backdoors) </li></ul><ul><li>Cracking Passwords </li></ul><ul><li>Alternate ways to get in </li></ul>
    6. 7. Reconnaissance <ul><li>You are given the web address: </li></ul><ul><li>www.acmeandburdell.com </li></ul><ul><li>Find the IP address of the web address </li></ul><ul><li>Use the tools from the course to find more about the A&B network </li></ul>
    7. 8. Vulnerability Scanning <ul><li>Use your favorite network scanner(s) to scan the IP address range for potential holes </li></ul><ul><li>Document the services running and look for suspicious ports </li></ul>
    8. 9. <ul><li>Based on the results of scanning choose a vulnerable target </li></ul><ul><li>Be sure to do a full port range scan on the target machine. “Nmap” only reports known services by default. </li></ul><ul><li>Choose a attack to execute on the target </li></ul><ul><li>The network scan may not give complete information about how you may attack. You may have to try different attacks learned in class before you succeed. Be creative and reference previous labs for hints! </li></ul>Choosing a Target and an Attack
    9. 10. <ul><li>If you got in, you should assume that someone else may have done so before. What might they have left behind? </li></ul><ul><li>Use what you know about the target OS to look for other ways of getting in. Your client needs to know! </li></ul>Maintaining Access (Look for Backdoors)
    10. 11. Cracking Passwords <ul><li>If you broke into a Linux machine, get the password file and try to crack as many passwords as you can. </li></ul><ul><li>If you broke into a windows machine, you will find a previous hacker has installed a password dump program called “pwdump2” in C:WindowsSystem32Pwdump2 </li></ul><ul><ul><li>Use pwdump2 to dump the password to a file </li></ul></ul><ul><ul><li>Crack as many passwords as you can </li></ul></ul><ul><li>Get info about pwdump2 at: </li></ul><ul><ul><li>http://www.securiteam.com/tools/5ZQ0G000FU.html </li></ul></ul><ul><li>Do the passwords give you more ways to gain access to the system? </li></ul>
    11. 12. Alternate Ways of Getting in <ul><li>Each vulnerable machine is set up to allow multiple ways for getting in. You will get full credit (8 points) </li></ul><ul><li>if you discover all of them and document your findings thoroughly. </li></ul><ul><li>In addition to the normal means of getting extra credit, you will get extra credit if you discover ways of getting in which were not part of the lab setup, OR if you get in a machine you were not expected to, OR if your summary recommendations for the client include something we didn’t think of. </li></ul>
    12. 13. Lab Setup <ul><li>Dynamic Setup changing every couple of days. You have to choose a slot of two days to complete the lab. </li></ul><ul><ul><li>Slots are: Tue-Wed, Thurs-Fri, Sat-Sun, </li></ul></ul><ul><ul><li> Mon-Tue </li></ul></ul><ul><li>Multiple vulnerabilities (At least 2) of varying difficulty </li></ul>
    13. 14. Lab Setup <ul><li>Four Virtual Machines with different vulnerabilities. </li></ul><ul><li>Only one will be running at any one time. </li></ul><ul><li>The TA’s would choose a different virtual machine to run every couple of days </li></ul><ul><li>Two Decoy machines acting as honeypots, would always run to make things interesting </li></ul>
    14. 15. Lab Setup <ul><li>VM1: </li></ul><ul><ul><li>OS: Red Hat 7.2 </li></ul></ul><ul><ul><li>IMAP-d exploit enabled </li></ul></ul><ul><ul><li>Remote Vulnerable program running on a random port </li></ul></ul><ul><ul><li>LRK4 rootkit installed, but telnet closed </li></ul></ul><ul><ul><li>Two users, one with easy password </li></ul></ul><ul><ul><li>One of the passwords may be used to open a VNC session </li></ul></ul>
    15. 16. Lab Setup <ul><li>VM2: </li></ul><ul><ul><li>OS: Redhat 7.2 </li></ul></ul><ul><ul><li>ICMP Server exploit enabled </li></ul></ul><ul><ul><li>Remote Vulnerable program running on a random port </li></ul></ul><ul><ul><li>LRK4 rootkit installed, but telnet closed </li></ul></ul><ul><ul><li>Two users, one with easy password </li></ul></ul><ul><ul><li>One of the passwords may be used to open a VNC session </li></ul></ul>
    16. 17. Lab Setup <ul><li>VM3: </li></ul><ul><ul><li>OS: Windows XP (No Security patch) </li></ul></ul><ul><ul><li>DCOM exploit enabled </li></ul></ul><ul><ul><li>Netcat backdoor running </li></ul></ul><ul><ul><li>“ pwdump2” kept at a known place </li></ul></ul><ul><ul><li>VNC session that may be opened by cracking one of the passwords </li></ul></ul>
    17. 18. Lab Setup <ul><li>VM4: </li></ul><ul><ul><li>OS: Win XP with Security patch </li></ul></ul><ul><ul><li>B02k (Running on default port 18006) </li></ul></ul><ul><ul><li>Netcat backdoor running </li></ul></ul><ul><ul><li>“ pwdump2” kept at a known place </li></ul></ul><ul><ul><li>VNC session that may be opened by cracking one of the passwords </li></ul></ul>
    18. 19. Lab Setup <ul><li>Decoy 1 (Always running): </li></ul><ul><ul><li>OS: WinXP with DCOM Security patch </li></ul></ul><ul><ul><li>Back Officer Friendly (All traffic Simulated) </li></ul></ul><ul><ul><li>No user other than administrator (with difficult password) </li></ul></ul>
    19. 20. Lab Setup <ul><li>Decoy 2 </li></ul><ul><ul><li>OS: Red Hat 7.2 </li></ul></ul><ul><ul><li>Http, ftp, telnet, ssh ports open </li></ul></ul><ul><ul><li>No users other than root with difficult password </li></ul></ul>
    20. 21. New Tools for Behind the Scenes <ul><li>DCOM Security Patch: From Microsoft’s website http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx </li></ul><ul><li>Pwdump2: Used to dump windows passwords from the registry. </li></ul><ul><li>AutoIt: Simple scripting language used for the automation of simple windows tasks like opening or closing windows-based applications </li></ul><ul><ul><li>To keep “netcat” running, the script checks for closing of netcat and restarts it </li></ul></ul><ul><li>Srvany.exe: Used to install the AutoIt script as a service so that it starts up every time WinXP starts </li></ul>
    21. 22. Conclusions <ul><li>Challenges the students to try out different things, not just follow instructions </li></ul><ul><li>Covers the breadth of the course </li></ul><ul><li>Students get a flavor of the whole course by completing this challenging lab </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×