2. What is Penetration Testing?
AKA “Pentesting”
An attack on a computer system with the
intention of finding security weaknesses.
Performed by sysadmins or trusted agents.
3. How is this different from
hacking?
“Black-hat hackers” violate computer
security for maliciousness or personal gain.
“White-hat hackers” break security for non-
malicious purposes, usually when performing
authorized security tests.
“Grey-hat hackers” rationalize that they are
acting moral when they are not. e.g.:
Breaking into systems for fun, then emailing the
sysadmin to tell them about the security hole.
4. What are the goals of
Pentesting?
Discover network or application vulnerabilities.
Determine feasibility of particular set of attack
vectors.
Assess the magnitude of business&
operational impacts of a successful attack.
Test capability of network defenses.
6. Attempted attacks
Pentagon: 10,000,000 attempts each day
Nat’l Nuclear Security Agency: 10,000,000/day
From the same document...
Michigan: 120,000 attacher per day
U.K. 120,000 attacks per day
Utah: 20,000,000 attacks each day
Multiple definitions of attack & attempt?
Do not blindly believe any numbers you read.
7. 5 Phases of a network attack
1. Reconnaissance
2. Scanning
3. Penetration
4. Covering Tracks
5. Maintaining Access
Pentesting generally
focuses on Steps 1-3
8. Reconnaissance
Collecting data on the target passively.
Multiple interpretations:
1. sending no electrons to the target network, or
2. only sending electrons through means that are normally
authorized, such as reading the public website.
Common means:
Google
whois
9. Reconnaissance
nslookup www.usna.edu
IP address
Server name
http://www.whois.net, search for usna.edu
Physical address
Name of sysadmins (people with root access)
Names/IP of DNS servers
10. Reconnaissance
nslookup www.usna.edu
IP address
Server name
http://www.whois.net, search for usna.edu
Physical address
Name of sysadmins (people with root access)
Names/IP of DNS servers
11. Reconnaissance
Google for URL prefixes (different servers)
site:usna.edu
site:usna.edu –www.usna.edu
site:usna.edu –www.usna.edu –libguides.usna.edu
...
Run nslookup to find name/IP of each server
nslookup libguides.usna.edu
nslookup aisweb.usna.edu
12. Reconnaissance
URL IP Server Name
www.usna.edu 136.160.88.139 webster-new.dmz.usna.edu
libguides.usna.edu 174.132.16.38 libguides.com
aisweb.usna.edu 136.160.88.133 aeisenhower.dmz.usna.edu
library.usna.edu 136.160.88.140 library.usna.edu
lists.usna.edu 136.160.89.10 lists.usna.edu
…
Exercise: In 10 minutes, find out as much as you can about the USMA net
13. Scanning
Collecting data on the target by sending packets at
it.
Find existence of hosts at IP addresses.
Find open ports on hosts.
Detemine versions of services on hosts.
Determine OS of host.
Tends to be “noisy” (lots of packets)
May be construed as an attack. Never do this
without written permission.
14. Scanning
nmap is the #1 scanning tool
“Network Mapper”
1. Host Discovery
nmap –sn 10.10.1.0/24 # Determine which IPs are online
Exercise: what messages does nmap send for this command?
arp, TCP SYN to ports 80, 443, 53
nmap –sL 10.10.1.0/24 # List IPs only
Exercise: what messages does nmap send for this command?
None
15. Scanning
1. Host Discovery (cont) – using extra ports in
scan:
nmap –sn –PS22-25 10.10.1.0/24 # TCP SYN Ping
Exercise: what mechanism does nmap use for this command?
arp, TCP to ports 22-25
16. Scanning
2. Enumerate Open Ports:
# List of ports & protocols by usage
less /usr/share/nmap/nmap-service
# Selects only the 5 top ports from this file
nmap –-top-ports 5 10.10.1.10
nmap 10.10.1.10 # TCP SYN Scan (default, same as –sS)
# SYN only, never sends ACK or reset.
# Stealthy, since not logged, but can consume target’s
resources.
17. Scanning
2. Enumerate Open Ports (cont):
nmap –sT 10.10.1.10 # TCP Connect Scan
# SYN/SYN-ACK/ACK-Reset
# Gets logged, less likely to crash target server.
nmap –sA 10.10.1.10 # TCP ACK Scan
# Send ACK to a host we are not talking to.
# Host may reply by sending a Reset to indicate there is no
connection.
18. Scanning
3. Version detection:
nmap –sV 10.10.1.10 # Enables service versioning
4. OS detection:
nmap –O 10.10.1.10 # Enables OS detection
nmap –O –-osscan-guess 10.10.1.10
nmap –O –-fuzzy 10.10.1.10
19. Pentest admin
Signed agreement.
“Get out of jail free card.”
Never send any electrons to the target network without
one
Scope – range if IPs, type of tests, etc.
Damage control
Indemnification
In-house vs. Outsourced
Trust?
Can a sysadmin reasonably pentest their own network?