Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pentesting 101

428 views

Published on

This talk, presented at Secure 360 in May of 2017, was aimed to give nerds like me - as well as regular human people - some insight into the fundamentals of pentesting. The PowerPoint presentation had an Arnold Schwarzenegger / Terminator 2 theme :-)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Pentesting 101

  1. 1. Tweet along: #Sec360 www.Secure360.org
  2. 2. Tweet along: #Sec360 www.Secure360.org If you can see this, the projector works (Sometimes, that’s half the battle)
  3. 3. Penetration Testing 101: No Hoodie Required! Presented by: Brian Johnson
  4. 4. Who’s this guy? NOT either of these Brians Tweet along: #Sec360 www.Secure360.org
  5. 5. Who’s this guy? • Sr. Security Engineer for Emergent Networks • Podcaster (7 Minute Security / @7MinSec) • Miniscule movie star Tweet along: #Sec360 www.Secure360.org
  6. 6. Tweet along: #Sec360 www.Secure360.org
  7. 7. Tweet along: #Sec360 www.Secure360.org
  8. 8. Agenda • Good (and not-so-good!) training opportunities • Build your own pentest lab! • Pentesting vs. vulnerability scanning • Lets do some pentesting (and even follow a methodology)! Tweet along: #Sec360 www.Secure360.org
  9. 9. Good (and bad) pentest training Certified Ethical Hacker v8 (meh…) • Pros: • HR/execs seem to like the title :-/ • Cons: • A little light in the actual “hacking” dept • Costs: • ~$2k-3k for live training, ~$1,000 for self-study • Test: ~$500 Tweet along: #Sec360 www.Secure360.org
  10. 10. Good (and bad) pentest training Offensive Security Certified Professional (yeh!) • Pros: • Almost 100% hands-on hacking of modern systems • Cons: • Might kill you • Costs: • Self-paced study bought in chunks of 30 ($800), 60 ($1,000) or 90 ($1,150) days Tweet along: #Sec360 www.Secure360.org
  11. 11. Good (and bad) pentest training VulnHub.com (yeh!) • Pros: • Hack machines in a safe (legal) way! • Cons: • Addicting! • Cost: • Free! Tweet along: #Sec360 www.Secure360.org
  12. 12. Build your own pentest lab for ~$500 Tweet along: #Sec360 www.Secure360.org
  13. 13. Build your own pentest lab for ~$500 Tweet along: #Sec360 www.Secure360.org
  14. 14. Build your own pentest lab for ~$500 • Intel NUC Kit (NUC6i3SYH) - $289 • Crucial 16GB Single DDR4 2133 MT/s (PC4-17000) SODIMM 260-Pin Memory - $59 • Samsung 850 EVO - 500GB - 2.5-Inch SATA III Internal SSD - $159 • VMWare ESXi – free! Tweet along: #Sec360 www.Secure360.org
  15. 15. Build your own pentest lab for ~$500 • Get a copy of Kali (free) at www.kali.org! • Available in a variety of flavors – virtual/ARM images, ISOs, etc. • Microsoft OSs can also be downloaded/installed for free (trial basis) Tweet along: #Sec360 www.Secure360.org
  16. 16. Vulnerability scanning vs. Penetration testing Tweet along: #Sec360 www.Secure360.org Source: securitymetrics.com
  17. 17. What is vulnerability scanning? • A “gentle” (passive) discovery of vulnerabilities • Either unauthenticated (boo) or authenticated (yay!) • Reports on vulnerabilities – but doesn’t exploit ‘em • Oversimplified: run a scan, click File  Print …and call it done! Tweet along: #Sec360 www.Secure360.org
  18. 18. What is vulnerability scanning? Tweet along: #Sec360 www.Secure360.org
  19. 19. What is penetration testing? Tweet along: #Sec360 www.Secure360.org
  20. 20. What is penetration testing? • “Practice of testing a computer system to find vulnerabilities that an attacker could exploit” - TechTarget.com • Uses a combination of tools/techniques to leverage (hack!) discovered vulnerabilities • Goals include: cracking passwords, stealing data, establishing backdoors and much more! • Oversimplified: picks up where vulnerability scanning leaves offTweet along: #Sec360 www.Secure360.org
  21. 21. What is penetration testing? Tweet along: #Sec360 www.Secure360.org Lets actually abuse this vulnerability!
  22. 22. What is penetration testing? Tweet along: #Sec360 www.Secure360.org Shellshock – discovered in September, 2014 • Nothing to do with Teenage Mutant Ninja Turtles • An arbitrary code execution (ACE) vulnerability that abuses the User-Agent string to execute commands on the target Whut?
  23. 23. What is penetration testing? Tweet along: #Sec360 www.Secure360.org Shellshock - discovered in September, 2014 • Good: • BAD(!): =
  24. 24. Tweet along: #Sec360 www.Secure360.org
  25. 25. Vulnerability scanning vs. pentesting! Tweet along: #Sec360 www.Secure360.org Source: securitymetrics.com Typically cheap(er) Typically expensive(ish) Passive/gentle Active/aggressive! No actual exploitation of vulnerabilities Exploitastic! Stuff probably won’t break Mayhem will ensue!
  26. 26. Hacking demo! Warning: don’t do this at work. Pentesting the corporate network makes managers: Tweet along: #Sec360 www.Secure360.org & Always get clear, written permission to pentest your targets!
  27. 27. Lets hack Skynet! Tweet along: #Sec360 www.Secure360.org
  28. 28. Lets hack Skynet (twice)! 1. …with a direct server attack 2. …by poisoning the network Tweet along: #Sec360 www.Secure360.org
  29. 29. Direct attack Lets follow a pentest methodology (what a concept!) • Reconnaissance • Scanning • Gaining access • Maintaining access Tweet along: #Sec360 www.Secure360.org
  30. 30. Reconnaissance Gathering preliminary data about a target, either actively or passively Tweet along: #Sec360 www.Secure360.org
  31. 31. Reconnaissance Tweet along: #Sec360 www.Secure360.org
  32. 32. Reconnaissance Tweet along: #Sec360 www.Secure360.org
  33. 33. Reconnaissance Tweet along: #Sec360 www.Secure360.org
  34. 34. Reconnaissance Tweet along: #Sec360 www.Secure360.org Exploit-db.com
  35. 35. Reconnaissance Tweet along: #Sec360 www.Secure360.org
  36. 36. Reconnaissance Tweet along: #Sec360 www.Secure360.org https://github.com/DataSploit/datasploit
  37. 37. Reconnaissance Tweet along: #Sec360 www.Secure360.org
  38. 38. Reconnaissance Tweet along: #Sec360 www.Secure360.org
  39. 39. Reconnaissance Tweet along: #Sec360 www.Secure360.org
  40. 40. Reconnaissance Tweet along: #Sec360 www.Secure360.org Source: wigle.net
  41. 41. Scanning Using tools to gather further intel on the target(s). Tweet along: #Sec360 www.Secure360.org
  42. 42. Tweet along: #Sec360 www.Secure360.org Scanning - NMAP NMAP – a Swiss army knife for network scanning! • Been around since 1997 • Runs on just about any OS • Entire books written about it!
  43. 43. Tweet along: #Sec360 www.Secure360.org Scanning - NMAP • Example: find all hosts that respond to ping nmap -sn 192.168.3.0/24
  44. 44. Tweet along: #Sec360 www.Secure360.org Scanning – Sparta
  45. 45. Tweet along: #Sec360 www.Secure360.org Scanning – abusing DNS Dig Typically used to query DNS name servers for information. Example: dig emergentnetworks.com
  46. 46. Tweet along: #Sec360 www.Secure360.org Scanning – abusing DNS Dig Typically used to query DNS name servers for information. Example: dig emergentnetworks.com MX
  47. 47. Tweet along: #Sec360 www.Secure360.org Scanning – abusing DNS zone transfer
  48. 48. Tweet along: #Sec360 www.Secure360.org Scanning – dirb and fcrackzip
  49. 49. Gaining access Take control of one or more devices to extract data and launch attacks Tweet along: #Sec360 www.Secure360.org
  50. 50. Tweet along: #Sec360 www.Secure360.org Gaining access
  51. 51. Tweet along: #Sec360 www.Secure360.org Gaining access - phpmailer PhpMailer vulnerability – December, 2016 In the vulnerable version of PHPMailer, the sender email address is passed unescaped to a shell command. An attacker could include shell commands in the sender email that execute malicious code on a target machine or website. Source: wordfence.com
  52. 52. Tweet along: #Sec360 www.Secure360.org Gaining access - phpmailer
  53. 53. Tweet along: #Sec360 www.Secure360.org Gaining access - phpmailer
  54. 54. Tweet along: #Sec360 www.Secure360.org Gaining access - phpmailer
  55. 55. Tweet along: #Sec360 www.Secure360.org Gaining access - phpmailer
  56. 56. Phpmailer defense? Patch, patch, patch!!!!! Tweet along: #Sec360 www.Secure360.org
  57. 57. Maintaining access Remain persistent in the target environment to gather as much information as possible, for as long as possible Tweet along: #Sec360 www.Secure360.org
  58. 58. Maintaining access – Web shells (b374k) Tweet along: #Sec360 www.Secure360.org
  59. 59. Tweet along: #Sec360 www.Secure360.org Maintaining access – b374k
  60. 60. Tweet along: #Sec360 www.Secure360.org Maintaining access – b374k
  61. 61. Tweet along: #Sec360 www.Secure360.org Maintaining access – b374k
  62. 62. Lets hack Skynet (twice)! 1. …with a direct server attack 2. …by poisoning the network Tweet along: #Sec360 www.Secure360.org
  63. 63. Network poisoning with Responder Tweet along: #Sec360 www.Secure360.org Oversimplified: when Windows machines (Vista and newer) request a resource that the DNS server is unaware of, the machines do other broadcasts (LLMNR/NBT-NS ) which Responder can poison
  64. 64. Network poisoning with Responder Tweet along: #Sec360 www.Secure360.org
  65. 65. Network poisoning with Responder Tweet along: #Sec360 www.Secure360.org
  66. 66. Network poisoning with Responder Tweet along: #Sec360 www.Secure360.org
  67. 67. T-1000 PC Great! Here comes some authentication info! Sorry, nope! Never heard of it. DNS ServerIT’S ME, FIL01! AUTHENTICATE TO ME! DO IT! DO IT NOOOWWWWWWWW!!! Arnie’s Hacking Box Hey DNS server, ever heard of fil01? T-1000 PC Aaaaaaanybody else (Netbios/LLMNR?)? T-1000 PC
  68. 68. Network poisoning with Responder Tweet along: #Sec360 www.Secure360.org
  69. 69. Responder defense? Tweet along: #Sec360 www.Secure360.org
  70. 70. Lets hack Skynet (twice)! 1. …with a direct server attack 2. …by poisoning the network Tweet along: #Sec360 www.Secure360.org
  71. 71. Tweet along: #Sec360 www.Secure360.org
  72. 72. Tweet along: #Sec360 www.Secure360.org Thank you! Feel free to contact me with comments/questions! Brian Johnson / Emergent Networks Work: BrianJ@EmergentNetworks.com Personal: Brian@BrianJohnson.tv Twitter: @7MinSec

×