• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Introduzione ai network penetration test secondo osstmm
 

Introduzione ai network penetration test secondo osstmm

on

  • 561 views

"Competent Analysts will require adequate networking knowledge, ...

"Competent Analysts will require adequate networking knowledge,
diligent security testing skills, and critical thinking skills to
assure factual data collection creates factual results through
correlation and analysis." - OSSTMM v3

Il Network Penetration Test (NPT) ha lo scopo verificare la sicurezza
dei sistemi esposti sulla rete. Viene valutata la presenza di
controlli - e la loro corretta implementazione - che annullano o
limitano le minacce esistenti verso i beni dell'organizzazione.
L'attività valuta uno scenario specifico che varia secondo il
bersaglio, la posizione degli attaccanti e le informazioni in possesso
al personale coinvolto.

Un Penetration Test si esegue tramite varie attivtà spesso molto
delicate e importanti e, come ben specificato nell'Open Source
Security Testing Methodology Manual (OSSTMM), gli analisti non solo
devono avere delle competenze adeguate della rete e dei suoi
protocolli ma anche applicare un ragionamento critico per raccogliere
e correlare le informazioni in maniera corretta così da ottenere
risultati oggettivi.

Durante il seminario verrà introdotta la metodologia OSSTMM, con
particolare attenzione alle reti TCP/IP (Data Networks) e alle
operazioni tipiche per la ricerca degli host sulla rete e
l'identificazione dei servizi interattivi.

Statistics

Views

Total Views
561
Views on SlideShare
548
Embed Views
13

Actions

Likes
0
Downloads
0
Comments
0

4 Embeds 13

http://www.linkedin.com 6
https://twitter.com 4
https://si0.twimg.com 2
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Introduzione ai network penetration test secondo osstmm Introduzione ai network penetration test secondo osstmm Presentation Transcript

    • Introduzione  ai  Network  Penetra1on  Test  secondo  l’OSSTMMLinux  Day  2012Roma,  27  o)obre  2012Simone  Onofri  -­‐  simone.onofri@techub.it
    • Introduzione NPT  e  OSSTMM
    • hBp://onofri.org/u/npt2012
    • Network  Penetra1on  Test ?
    • Network  Penetra1on  TestIl  Network  Penetra/on  Test   ha  lo  scopo  verificare  la   sicurezza  dei  sistemi   espos/  sulla  rete.
    • Network  Penetra1on  TestViene  valutata  la  presenza   e  la  correBa   implementazione  dei  controlli  che  annullano,  o   limitano  le  minacce  
    • Network  Penetra1on  Test L’a>vità  valuta  uno  scenario  specifico  secondo   il  bersaglio,  la  posizione   degli  aCaccan/  e  le   informazioni  disponibili
    • Network  Penetra1on  Test   come?
    • Network  Penetra1on  Test   Open
    • Network  Penetra1on  Test   Source
    • Network  Penetra1on  Test   Security
    • Network  Penetra1on  Test   Tes1ng
    • Network  Penetra1on  Test   Methodology
    • Network  Penetra1on  Test   Manual
    • Network  Penetra1on  Test   OSSTMM
    • traceroute  to  isecom.org # traceroute -n isecom.org traceroute to isecom.org (216.92.116.13), 64 hops max, 52 byte packets [...] 16 195.22.192.181 48.888 ms 52.587 ms 49.014 ms 17 89.221.34.50 40.760 ms 37.027 ms 40.741 ms 18 64.210.21.150 180.909 ms 170.083 ms 178.578 ms 19 * * * 20 * * *
    • traceroute  to  isecom.org # tcpdump -Sni en0 440701 IP 195.22.192.181 > 10.10.10.10: ICMP time exceeded in-transit, length 36 493212 IP 195.22.192.181 > 10.10.10.10: ICMP time exceeded in-transit, length 36 542222 IP 195.22.192.181 > 10.10.10.10: ICMP time exceeded in-transit, length 36 583138 IP 89.221.34.50 > 10.10.10.10: ICMP time exceeded in-transit, length 36 620053 IP 89.221.34.50 > 10.10.10.10: ICMP time exceeded in-transit, length 36 660844 IP 89.221.34.50 > 10.10.10.10: ICMP time exceeded in-transit, length 36 841862 IP 64.210.21.150 > 10.10.10.10: ICMP time exceeded in-transit, length 36 011975 IP 64.210.21.150 > 10.10.10.10: ICMP time exceeded in-transit, length 36 190596 IP 64.210.21.150 > 10.10.10.10: ICMP time exceeded in-transit, length 36
    • breve  introduzione  alla  Cosa  bisogna  sapere metodologia
    • “security  is  about   protec1on” Pete  Herzog  -­‐  No  More  of  the  Same  Bad  Security
    • Operational Security Access Visibility Trust Exposure! Vulnerability! Authentication NonRepudiation Indemnification Confidentiality Resilience Privacy Subjugation Integrity Continuity Alarm Weakness! Concern!Interactive Controls Process Controls
    • Cosa  bisogna  fare regole  di  ingaggio  e  auditor  trifecta
    • Regole  di  ingaggio  (selezione) come  “regolamentare”   l’a>vità
    • Regole  di  ingaggio  (selezione) Paura Incertezza Inganno
    • Regole  di  ingaggio  (selezione) X Paura Incertezza Inganno
    • Regole  di  ingaggio  (selezione) se  non  /  buco  è  gra/s
    • Regole  di  ingaggio  (selezione) X se  non  /  buco  è  gra/s
    • Regole  di  ingaggio  (selezione) fare  i  test  SOLO  se   espressamente  autorizza/
    • Regole  di  ingaggio  (selezione) a  prescindere  da  NDA,  non   divulgare  mai  informazioni   o  risulta/
    • Regole  di  ingaggio  (selezione) conosci  i  tuoi  strumen/
    • Regole  di  ingaggio  (selezione)non  lasciare  lo  scope  meno   sicuro  di  come  era  prima   del  tuo  arrivo
    • Regole  di  ingaggio  (selezione)
    • Trifecta     sono  le  tre  domande  da   farsi  durante  un’a>vità
    • Trifecta     Come  funziona?
    • Trifecta     Come  il  management   pensa  che  funzioni?
    • Trifecta     Di  cosa  effe>vamente   c’è  bisogno?
    • Trifecta    
    • Test  sulla  sicurezza   alcuni  elemen1  secondo  l’OSSTMM delle  Re1  di  Da1  
    • 11.1  Posture  Review
    • 11.2  Logis1cs
    • 11.2.1  Framework
    • # whois isecom.org[...]Registrant Organization:Institute for Security and Open Methodologies[...]Registrant City:Lake GeorgeRegistrant State/Province:NYRegistrant Postal Code:12845Registrant Country:USRegistrant Phone:+1.5186***********[...]Registrant Email:a*******@isecom.orgAdmin Name:Peter HerzogAdmin Organization:Institute for Security and Open Methodologies[...]Admin City:Lake GeorgeAdmin State/Province:NYAdmin Postal Code:12845Admin Country:USAdmin Phone:+1. 5186***********Admin FAX Ext.:Admin Email:a*******@isecom.org[...]Name Server:NS222.PAIR.COMName Server:NS0000.NS0.COM
    • # dig isecom.org @NS222.PAIR.COM ANY; <<>> DiG 9.8.3-P1 <<>> isecom.org @NS222.PAIR.COM ANY;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65151;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0;; WARNING: recursion requested but not available;; QUESTION SECTION:;isecom.org. IN ANY;; ANSWER SECTION:isecom.org. 3600 IN A 216.92.116.13isecom.org. 3600 IN MX 50 mailwash4.pair.com.isecom.org. 3600 IN SOA ns222.pair.com. root.pair.com. 2012020511 3600300 604800 3600isecom.org. 3600 IN NS ns0000.ns0.com.isecom.org. 3600 IN NS ns222.pair.com.;; Query time: 176 msec;; SERVER: 209.68.2.67#53(209.68.2.67)[...]
    • # whois 216.92.116.13NetRange: 216.92.0.0 - 216.92.255.255CIDR: 216.92.0.0/16OriginAS:NetName: PAIRNET-BLK-3NetHandle: NET-216-92-0-0-1Parent: NET-216-0-0-0-0NetType: Direct AllocationComment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLERegDate: 1998-09-25Updated: 2001-06-14Ref: http://whois.arin.net/rest/net/NET-216-92-0-0-1OrgName: pair NetworksOrgId: PAIRAddress: 2403 Sidney StAddress: Suite 510City: PittsburghStateProv: PAPostalCode: 15232Country: USRegDate: 1997-01-30Updated: 2008-10-04
    • # nmap -PN --traceroute -n -p80 isecom.orgStarting Nmap 6.00 ( http://nmap.org ) at 2012-10-27 09:00 CESTNmap scan report for isecom.org (216.92.116.13)Host is up (0.17s latency).PORT STATE SERVICE80/tcp open httpTRACEROUTE (using port 80/tcp)HOP RTT ADDRESS[...]17 42.97 ms 89.221.34.11018 166.42 ms 64.210.21.15019 ...20 165.39 ms 216.92.116.13Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds
    • 11.2.2  Network   Quality
    • # hping2 --icmp -c 100 isecom.orgHPING isecom.org (en0 216.92.116.13): icmp mode set, 28 headers + 0 data byteslen=46 ip=216.92.116.13 ttl=48 id=16179 icmp_seq=0 rtt=164.9 mslen=46 ip=216.92.116.13 ttl=48 id=16501 icmp_seq=1 rtt=161.0 mslen=46 ip=216.92.116.13 ttl=48 id=16733 icmp_seq=2 rtt=165.8 ms[...]len=46 ip=216.92.116.13 ttl=48 id=39293 icmp_seq=91 rtt=171.9 mslen=46 ip=216.92.116.13 ttl=48 id=39386 icmp_seq=92 rtt=161.4 mslen=46 ip=216.92.116.13 ttl=48 id=39563 icmp_seq=93 rtt=167.6 mslen=46 ip=216.92.116.13 ttl=48 id=39777 icmp_seq=94 rtt=168.3 mslen=46 ip=216.92.116.13 ttl=48 id=40557 icmp_seq=95 rtt=164.5 mslen=46 ip=216.92.116.13 ttl=48 id=41028 icmp_seq=96 rtt=171.0 mslen=46 ip=216.92.116.13 ttl=48 id=41289 icmp_seq=97 rtt=165.6 mslen=46 ip=216.92.116.13 ttl=48 id=41378 icmp_seq=98 rtt=167.3 mslen=46 ip=216.92.116.13 ttl=48 id=41860 icmp_seq=99 rtt=167.4 ms--- isecom.org hping statistic ---100 packets tramitted, 97 packets received, 3% packet lossround-trip min/avg/max = 161.0/167.1/211.4 ms
    • # hping2 -S -p 80 -c 100 isecom.orgHPING isecom.org (en0 216.92.116.13): S set, 40 headers + 0 data byteslen=46 ip=216.92.116.13 ttl=50 DF id=25484 sport=80 flags=SA seq=0 win=65535 rtt=181.7 mslen=46 ip=216.92.116.13 ttl=50 DF id=26974 sport=80 flags=SA seq=1 win=65535 rtt=167.9 mslen=46 ip=216.92.116.13 ttl=50 DF id=27338 sport=80 flags=SA seq=2 win=65535 rtt=165.3 ms[...]len=46 ip=216.92.116.13 ttl=48 DF id=54788 sport=80 flags=SA seq=86 win=65535 rtt=201.6 mslen=46 ip=216.92.116.13 ttl=50 DF id=55028 sport=80 flags=SA seq=87 win=65535 rtt=207.3 mslen=46 ip=216.92.116.13 ttl=50 DF id=55696 sport=80 flags=SA seq=94 win=65535 rtt=170.4 mslen=46 ip=216.92.116.13 ttl=48 DF id=56158 sport=80 flags=SA seq=95 win=65535--- isecom.org hping statistic ---100 packets tramitted, 99 packets received, 1% packet lossround-trip min/avg/max = 161.7/171.6/264.2 ms
    • # hping2 --udp -c 100 isecom.orgHPING isecom.org (en0 216.92.116.13): udp mode set, 28 headers + 0 data bytesICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.org[...]ICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.orgICMP Port Unreachable from ip=216.92.116.13 name=isecom.org--- isecom.org hping statistic ---100 packets tramitted, 22 packets received, 78% packet lossround-trip min/avg/max = 0.0/0.0/0.0 ms
    • 11.2.3  Time
    • # curl -kisX HEAD isecom.orgHTTP/1.1 200 OKDate: Wed, 26 Oct 2012 09:30:00 GMTServer: Apache/2.2.22Last-Modified: Fri, 13 Apr 2012 15:48:14 GMTETag: "3e3a-4bd916679ab80"Accept-Ranges: bytesContent-Length: 15930Identity: The Institute for Security and Open MethodologiesP3P: Not supported at this time
    • 11.3  Ac1ve  Detec1on   Verifica1on
    • 11.3.1  Filtering
    • 11.3.2  Ac1ve   Detec1on
    • # curl -kisX HEAD "http://isecom.org/etc/passwd?format=%%&xss="><script>alert(xss);</script>&traversal=../../&sql=%20OR%201;"HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2012 09:30:00 GMTServer: Apache/2.2.22Last-Modified: Fri, 13 Apr 2012 15:48:13 GMTETag: "25db-4bd91666a6940"Accept-Ranges: bytesContent-Length: 9691Identity: The Institute for Security and OpenMethodologiesP3P: Not supported at this time
    • 11.4  Visibility  Audit
    • 11.4.1  Network   Surveying
    • # dig isecom.org @NS222.PAIR.COM A; <<>> DiG 9.8.3-P1 <<>> isecom.org @NS222.PAIR.COM A;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19360;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0;; WARNING: recursion requested but not available;; QUESTION SECTION:;isecom.org. IN A;; ANSWER SECTION:isecom.org. 3600 IN A 216.92.116.13# dig isecom.org @NS222.PAIR.COM AAAA; <<>> DiG 9.8.3-P1 <<>> isecom.org @NS222.PAIR.COM AAAA;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26450;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0# dig isecom.org @NS222.PAIR.COM AXFR; <<>> DiG 9.8.3-P1 <<>> isecom.org @NS222.PAIR.COM AXFR;; global options: +cmd; Transfer failed.
    • 11.4.2  Enumera1on
    • # nmap -sT -Pn -n --top-ports 10 isecom.orgStarting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:10CESTNmap scan report for isecom.org (216.92.116.13)Host is up (0.23s latency).PORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp closed telnet25/tcp filtered smtp80/tcp open http110/tcp open pop3139/tcp closed netbios-ssn443/tcp open https445/tcp closed microsoft-ds3389/tcp closed ms-wbt-serverNmap done: 1 IP address (1 host up) scanned in 2.04 seconds
    • # nmap -sT -Pn -n --top-ports 10 --reason isecom.orgStarting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:17CESTNmap scan report for isecom.org (216.92.116.13)Host is up, received user-set (0.22s latency).PORT STATE SERVICE REASON21/tcp open ftp syn-ack22/tcp open ssh syn-ack23/tcp closed telnet conn-refused25/tcp filtered smtp no-response80/tcp open http syn-ack110/tcp open pop3 syn-ack139/tcp closed netbios-ssn conn-refused443/tcp open https syn-ack445/tcp closed microsoft-ds conn-refused3389/tcp closed ms-wbt-server conn-refused
    • # nmap -sU -Pn -n --top-ports 10 --reason isecom.orgStarting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:28CESTNmap scan report for hackerhighschool.org (216.92.116.13)Host is up, received user-set (0.23s latency).PORT STATE SERVICE REASON53/udp closed domain port-unreach67/udp open|filtered dhcps no-response123/udp closed ntp port-unreach135/udp closed msrpc port-unreach137/udp closed netbios-ns port-unreach138/udp closed netbios-dgm port-unreach161/udp closed snmp port-unreach445/udp closed microsoft-ds port-unreach631/udp closed ipp port-unreach1434/udp closed ms-sql-m port-unreach
    • # nmap -sU -Pn -n -p53,67 --reason --packet-trace isecom.orgStarting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:32 CESTSENT (0.0508s) UDP 192.168.100.53:54940 > 216.92.116.13:67 ttl=46id=54177 iplen=28SENT (0.0509s) UDP 192.168.100.53:54940 > 216.92.116.13:53 ttl=37id=17751 iplen=40RCVD (0.3583s) ICMP 216.92.116.13 > 192.168.100.53 Portunreachable (type=3/code=3) ttl=54 id=1724 iplen=56SENT (2.5989s) UDP 192.168.100.53:54941 > 216.92.116.13:67 ttl=49id=33695 iplen=28Nmap scan report for isecom.org (216.92.116.13)Host is up, received user-set (0.31s latency).PORT STATE SERVICE REASON53/udp closed domain port-unreach67/udp open|filtered dhcps no-responseNmap done: 1 IP address (1 host up) scanned in 4.15 seconds
    • 11.5  Access  Verifica1on
    • 11.5.1  Network
    • 11.5.2  Services
    • # nmap -sUV -Pn -n -p53,67 --reason --packet-trace isecom.orgStarting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:44 CESTSENT (0.1730s) UDP 192.168.100.53:62664 > 216.92.116.13:53 ttl=48 id=23048iplen=40SENT (0.1731s) UDP 192.168.100.53:62664 > 216.92.116.13:67 ttl=48 id=53183iplen=28RCVD (0.4227s) ICMP 216.92.116.13 > 192.168.100.53 Port unreachable (type=3/code=3) ttl=54 id=20172 iplen=56SENT (2.4252s) UDP 192.168.100.53:62665 > 216.92.116.13:67 ttl=50 id=39909iplen=28NSOCK (3.8460s) UDP connection requested to 216.92.116.13:67 (IOD #1) EID 8NSOCK (3.8460s) Callback: CONNECT SUCCESS for EID 8 [216.92.116.13:67]Service scan sending probe RPCCheck to 216.92.116.13:67 (udp)...and more 80 packets...Nmap scan report for isecom.org (216.92.116.13)Host is up, received user-set (0.25s latency).PORT STATE SERVICE REASON VERSION53/udp closed domain port-unreach67/udp open|filtered dhcps no-response
    • # nmap -sTV -Pn isecom.org --top-ports 10 --reasonStarting Nmap 6.00 ( http://nmap.org ) at 2012-10-25 01:41CESTNmap scan report for isecom.org (216.92.116.13)Host is up, received user-set (0.17s latency).PORT STATE SERVICE REASON VERSION21/tcp open ftp syn-ack NcFTPd22/tcp open ssh syn-ack OpenSSH 6.1(protocol 2.0)23/tcp closed telnet conn-refused25/tcp filtered smtp no-response80/tcp open http syn-ack Apache httpd2.2.22110/tcp open pop3 syn-ack Dovecot pop3d139/tcp filtered netbios-ssn no-response443/tcp open ssl/http syn-ack Apache httpd2.2.22445/tcp filtered microsoft-ds no-response3389/tcp closed ms-wbt-server conn-refused
    • 11.5.3  Auten1ca1on
    • 11.6  Trust  Verifica1on
    • 11.7  Controls   Verifica1on
    • 11.8  Process  Verifica1on
    • 11.9  Configura1on   Verifica1on
    • 11.10  Property   Valida1on
    • 11.11  Segrega1on   Review
    • 11.12  Exposure   Verifica1on
    • 11.13  Compe11ve  Intelligence  Scou1ng
    • 11.14  Quaran1ne   Verifica1on
    • 11.15  Privileges  Audit
    • 11.16  Survivability   Verifica1on
    • 11.17  Alert  and  Log   Review
    • Conclusioni riferimen1,  strumen1
    • STAR  Report  e  Test  OSSTMM
    • ;-­‐)http://onofri.org/http://twitter.com/simoneonofrihttp://it.linkedin.com/simoneonofrihttp://slideshare.net/simoneonofriGRAZIE!
    • http://onofri.org/http://twitter.com/simoneonofrihttp://it.linkedin.com/simoneonofrihttp://slideshare.net/simoneonofriDOMANDE ?