Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Penetration Lecture

459 views

Published on

  • Be the first to comment

  • Be the first to like this

Security Penetration Lecture

  1. 1. Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology
  2. 2. Agenda <ul><li>Introduction to penetration testing </li></ul><ul><li>Lab scenario </li></ul><ul><li>Lab setup </li></ul><ul><li>New Additions </li></ul><ul><li>Conclusions </li></ul>
  3. 3. Penetration Testing <ul><li>Actively assess network security measures </li></ul><ul><li>Possibly reduce costs by uncovering vulnerabilities before suffering consequences. </li></ul><ul><li>Black Box Vs White Box </li></ul><ul><li>External Vs Internal </li></ul>
  4. 4. Lab Scenario <ul><li>Mission: </li></ul><ul><li>You have been hired by Acme & Burdell to attempt to break into their network. </li></ul><ul><ul><li>Acme & Burdell has allowed you to break into their network throughout dead week. However, the network admins at Acme & Burdell cannot agree on a single setup for their network. Thus they change their network setup every two days. If you want to break in, you’ll have do it within a couple of days. Are you ready? </li></ul></ul>
  5. 6. Steps Involved <ul><li>Reconnaissance (Find the target IP address) </li></ul><ul><li>Vulnerability Scanning </li></ul><ul><li>Choosing a target and getting in </li></ul><ul><li>Maintaining Access (Look for Backdoors) </li></ul><ul><li>Cracking Passwords </li></ul><ul><li>Alternate ways to get in </li></ul>
  6. 7. Reconnaissance <ul><li>You are given the web address: </li></ul><ul><li>www.acmeandburdell.com </li></ul><ul><li>Find the IP address of the web address </li></ul><ul><li>Use the tools from the course to find more about the A&B network </li></ul>
  7. 8. Vulnerability Scanning <ul><li>Use your favorite network scanner(s) to scan the IP address range for potential holes </li></ul><ul><li>Document the services running and look for suspicious ports </li></ul>
  8. 9. <ul><li>Based on the results of scanning choose a vulnerable target </li></ul><ul><li>Be sure to do a full port range scan on the target machine. “Nmap” only reports known services by default. </li></ul><ul><li>Choose a attack to execute on the target </li></ul><ul><li>The network scan may not give complete information about how you may attack. You may have to try different attacks learned in class before you succeed. Be creative and reference previous labs for hints! </li></ul>Choosing a Target and an Attack
  9. 10. <ul><li>If you got in, you should assume that someone else may have done so before. What might they have left behind? </li></ul><ul><li>Use what you know about the target OS to look for other ways of getting in. Your client needs to know! </li></ul>Maintaining Access (Look for Backdoors)
  10. 11. Cracking Passwords <ul><li>If you broke into a Linux machine, get the password file and try to crack as many passwords as you can. </li></ul><ul><li>If you broke into a windows machine, you will find a previous hacker has installed a password dump program called “pwdump2” in C:WindowsSystem32Pwdump2 </li></ul><ul><ul><li>Use pwdump2 to dump the password to a file </li></ul></ul><ul><ul><li>Crack as many passwords as you can </li></ul></ul><ul><li>Get info about pwdump2 at: </li></ul><ul><ul><li>http://www.securiteam.com/tools/5ZQ0G000FU.html </li></ul></ul><ul><li>Do the passwords give you more ways to gain access to the system? </li></ul>
  11. 12. Alternate Ways of Getting in <ul><li>Each vulnerable machine is set up to allow multiple ways for getting in. You will get full credit (8 points) </li></ul><ul><li>if you discover all of them and document your findings thoroughly. </li></ul><ul><li>In addition to the normal means of getting extra credit, you will get extra credit if you discover ways of getting in which were not part of the lab setup, OR if you get in a machine you were not expected to, OR if your summary recommendations for the client include something we didn’t think of. </li></ul>
  12. 13. Lab Setup <ul><li>Dynamic Setup changing every couple of days. You have to choose a slot of two days to complete the lab. </li></ul><ul><ul><li>Slots are: Tue-Wed, Thurs-Fri, Sat-Sun, </li></ul></ul><ul><ul><li> Mon-Tue </li></ul></ul><ul><li>Multiple vulnerabilities (At least 2) of varying difficulty </li></ul>
  13. 14. Lab Setup <ul><li>Four Virtual Machines with different vulnerabilities. </li></ul><ul><li>Only one will be running at any one time. </li></ul><ul><li>The TA’s would choose a different virtual machine to run every couple of days </li></ul><ul><li>Two Decoy machines acting as honeypots, would always run to make things interesting </li></ul>
  14. 15. Lab Setup <ul><li>VM1: </li></ul><ul><ul><li>OS: Red Hat 7.2 </li></ul></ul><ul><ul><li>IMAP-d exploit enabled </li></ul></ul><ul><ul><li>Remote Vulnerable program running on a random port </li></ul></ul><ul><ul><li>LRK4 rootkit installed, but telnet closed </li></ul></ul><ul><ul><li>Two users, one with easy password </li></ul></ul><ul><ul><li>One of the passwords may be used to open a VNC session </li></ul></ul>
  15. 16. Lab Setup <ul><li>VM2: </li></ul><ul><ul><li>OS: Redhat 7.2 </li></ul></ul><ul><ul><li>ICMP Server exploit enabled </li></ul></ul><ul><ul><li>Remote Vulnerable program running on a random port </li></ul></ul><ul><ul><li>LRK4 rootkit installed, but telnet closed </li></ul></ul><ul><ul><li>Two users, one with easy password </li></ul></ul><ul><ul><li>One of the passwords may be used to open a VNC session </li></ul></ul>
  16. 17. Lab Setup <ul><li>VM3: </li></ul><ul><ul><li>OS: Windows XP (No Security patch) </li></ul></ul><ul><ul><li>DCOM exploit enabled </li></ul></ul><ul><ul><li>Netcat backdoor running </li></ul></ul><ul><ul><li>“ pwdump2” kept at a known place </li></ul></ul><ul><ul><li>VNC session that may be opened by cracking one of the passwords </li></ul></ul>
  17. 18. Lab Setup <ul><li>VM4: </li></ul><ul><ul><li>OS: Win XP with Security patch </li></ul></ul><ul><ul><li>B02k (Running on default port 18006) </li></ul></ul><ul><ul><li>Netcat backdoor running </li></ul></ul><ul><ul><li>“ pwdump2” kept at a known place </li></ul></ul><ul><ul><li>VNC session that may be opened by cracking one of the passwords </li></ul></ul>
  18. 19. Lab Setup <ul><li>Decoy 1 (Always running): </li></ul><ul><ul><li>OS: WinXP with DCOM Security patch </li></ul></ul><ul><ul><li>Back Officer Friendly (All traffic Simulated) </li></ul></ul><ul><ul><li>No user other than administrator (with difficult password) </li></ul></ul>
  19. 20. Lab Setup <ul><li>Decoy 2 </li></ul><ul><ul><li>OS: Red Hat 7.2 </li></ul></ul><ul><ul><li>Http, ftp, telnet, ssh ports open </li></ul></ul><ul><ul><li>No users other than root with difficult password </li></ul></ul>
  20. 21. New Tools for Behind the Scenes <ul><li>DCOM Security Patch: From Microsoft’s website http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx </li></ul><ul><li>Pwdump2: Used to dump windows passwords from the registry. </li></ul><ul><li>AutoIt: Simple scripting language used for the automation of simple windows tasks like opening or closing windows-based applications </li></ul><ul><ul><li>To keep “netcat” running, the script checks for closing of netcat and restarts it </li></ul></ul><ul><li>Srvany.exe: Used to install the AutoIt script as a service so that it starts up every time WinXP starts </li></ul>
  21. 22. Conclusions <ul><li>Challenges the students to try out different things, not just follow instructions </li></ul><ul><li>Covers the breadth of the course </li></ul><ul><li>Students get a flavor of the whole course by completing this challenging lab </li></ul>

×