hacking module 18
Post on 29-May-2018
218 Views
Preview:
TRANSCRIPT
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 1/93
NMCSP
2008 Batch-I
Module XVIII
Penetration Testing
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 2/93
Introduction to PT
Most hackers follow a common underlying
approach when it comes to penetrating a system
In the context of penetration testing, the testeris limited by resources, namely time, skilled
resources, access to equipment etc. as outlined
in the penetration testing agreement.
A pentest simulates methods used by intruders
to gain unauthorized access to an organization¶s
networked systems and then compromise them.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 3/93
Categories of security assessments
Every organization uses different types of
security assessments to validate the level of
security on its network resources.
Security assessment categories are security
audits, vulnerability assessments and
penetration testing
Each type of security assessment requires that
the people conducting the assessment have
different skills.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 4/93
Vulnerability Assessment
This assessment scans a network for knownsecurity weaknesses.
Vulnerability scanning tools searches network
segments for IP-enabled devices and enumeratesystems, operating systems, and applications.
Vulnerability scanners can test systems andnetwork devices for exposure to common
attacks. Additionally, vulnerability scanners can identify
common security mistakes
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 5/93
Limitations of Vulnerability Assessment
Vulnerability scanning software is limited in itsability to detect vulnerabilities at a given pointin time
Vulnerability scanning software must beupdated when new vulnerabilities arediscovered and improvements are made to thesoftware being used
The methodology used as well as the diverse vulnerability scanning software packages assesssecurity differently. This can influence theresult of the assessment
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 6/93
Penetration Testing
Penetration testing assesses the security modelof the organization as a whole
Penetration testing reveals potential
consequences of a real attacker breaking intothe network.
A penetration tester is differentiated from anattacker only by his intent and lack of malice.
Penetration testing that is not completedprofessionally can result in the loss of servicesand disruption of business continuity
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 7/93
Types of Penetration Testing
External testing
This type of testing involves analysis of publicly available information, a network enumeration phase,and the behavior of security devices analyzed.
Internal testing
Testing will typically be performed from a number of network access points, representing each logical andphysical segment.
± Black hat testing / zero knowledge testing
± Gray hat testing / partial knowledge testing
± White hat testing / complete knowledge testing
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 8/93
R isk Management
An unannounced test is usually associated with
higher risk and a greater potential of
encountering unexpected problems.
R isk = Threat x Vulnerability
A planned risk is any event that has the
potential to adversely affect the penetration test
The pentest team is advised to plan for
significant risks to enable contingency plans in
order to effectively utilize time and resources.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 9/93
Do-it Yourself Testing
The degree to which the testing can be
automated is one of the major variables that
affect the skill level and time needed to run a
pentest.
The degree of test automation, the extra cost of
acquiring a tool and the time needed to gain
proficiency are factors that influence the test
period.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 10/93
Outsourcing Penetration Testing Services
Drivers for outsourcing a pentest services
To get the network audited by an external agency toacquire an intruder¶s point of view.
The organization may require a specific security assessment and suggestive corrective measures.
Underwriting Penetration Testing
Professional liability insurance pays for settlementsor judgments for which pentesters become liable as aresult of their actions, or failure to perform,professional services.
It is also known as E&O insurance or professionalindemnity insurance.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 11/93
Terms of Engagement
An organization must sanction a penetrationtest against any of its production systems only after it agrees upon explicitly stated rules of engagement.
It must state the terms of reference under whichthe agency can interact with the organization.
It can specify the desired code of conduct, theprocedures to be followed and the nature of interaction between the testers and theorganization.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 12/93
Project Scope
Determining the scope of the pentest is
essential to decide if the test is a targeted test or
a comprehensive test.
Comprehensive assessments are coordinated
efforts by the pentest agency to uncover as
much vulnerability as possible throughout the
organization A targeted test will seek to identify
vulnerabilities in specific systems and practices
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 13/93
Pentest Service Level Agreements
Service level agreement is a contract that details
the terms of service that an outsourcer will
provide.
Professionally done good SL As can also include
both remedies and penalties
The bottom line is that SL As define the
minimum levels of availability from the testers,and determine what actions will be taken in the
event of serious disruption.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 14/93
Testing Points
Organizations have to reach a consensus on theextent of information that can be divulged tothe testing team to determine the start point of
the test. Providing a penetration-testing team with
additional information may give them anunrealistic advantage.
Similarly, the extent to which the vulnerabilitiesneed to be exploiting without disrupting criticalservices need to be determined.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 15/93
Testing Locations
The pentest team may have a preference to do
the test remotely or on-site.
A remote assessment may simulate an externalhacker attack. However, it may miss assessing
internal guards.
An on-site assessment may be expensive andnot simulate an external threat exactly.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 16/93
Automated Testing
Automated Testing can result in time and costsavings over a long term; however, they cannotreplace an experienced security professional
Tools can have a high learning curve and may need frequent updating to be effective.
With automated testing, there exists no scopefor any of the architectural elements to be
tested. As with vulnerability scanners, there can be
false negatives or worse false positives
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 17/93
Manual Testing
This is the best option an organization canchoose and benefit from the experience of asecurity professional.
The objective of the professional is to assess thesecurity posture of the organization from ahacker¶s perspective.
Manual approach requires planning, test
designing and scheduling and diligentdocumentation to capture the results of thetesting process in its entirety.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 18/93
Using DNS Domain Name and IP Address Information
Data from the DNS servers related to the target
network can be used to map a target
organization¶s network.
The DNS record also provides some valuable
information regarding the OS or applications
that are being run on the server.
The IP bock of an organization can be discerned by looking up the domain name and contact
information for personnel can be obtained.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 19/93
Enumerating Information About Hostson Publicly Available Networks
Enumeration can be done using port scanningtools, using IP protocols and listening toTCP/UDP ports
The testing team can then visualize a detailednetwork diagram which can be publicly accessed.
Additionally, the effort can provide screened
subnets and a comprehensive list of the types of traffic which is allowed in and out of thenetwork.
Web site crawlers can mirror entire sites
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 20/93
Testing Network-FilteringDevices
The objective of the pentest team would be toascertain that all legitimate traffic flowsthrough the filtering device.
Proxy servers may be subjected to stress tests todetermine their ability to filter out unwantedpackets.
Testing for default installations of the firewall
can be done to ensure that default user ID
¶s andpasswords have been disabled or changed.
Testers can also check for any remote logincapability that might have been enabled
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 21/93
EnumeratingDevices
A device inventory is a collection of network devices, together with some relevantinformation about each device that are recorded
in a document. After the network has been mapped and the
business assets identified, the next logical stepis to make an inventory of the devices.
A physical check may be conducted additionally to ensure that the enumerated devices have
been located correctly.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 22/93
Denial of Service Emulation
EmulatingDoS attacks can be resource
intensive.
DoS attacks can be emulated using hardware
Some online sites simulate DoS attacks for a
nominal charge
These tests are meant to check the effectiveness
of anti-dos devices
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 23/93
Pen Test using AppScan
AppScan is a tool developed for automated webapplication security testing and weakness assessmentsoftware.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 24/93
HackerShield
HackerShield is an anti-hacking program thatidentifies and fixes the vulnerabilities thathackers utilize into servers, workstations andother IP devices.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 25/93
Pen-Test Using Cerberus InternetScanner
Cerberus Information Security used to maintain
the Cerberus Internet Scanner shortly known as
CIS and now available at @stake.
It is programmed to assist the administrators to
find and fix vulnerabilities in their systems.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 27/93
Pen-Test Using Foundscan
Foundscan tries to identify and locate safely theoperating systems running on each live host by analyzing returned data with an algorithm.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 28/93
Pen-Test Using Nessus
Nessus is a suitable utility for service detection as it hasan enhanced service-detecting feature.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 29/93
Pen-Test Using NetR econ
NetR econ is useful in defining common intrusion andattack scenarios to locate and report network holes.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 30/93
Pen-Test Using SAINT
SAINT monitors every live system on a network for TCPand UDP devices.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 31/93
Pen-Test Using SecureNET
SecureNET Pro is a fusion of many technologies namely session monitoring, firewall, hijacking, and keyword-
based intrusion detection.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 32/93
Pen-Test Using SecureScan
SecureScan is a network vulnerability
assessment tool that determines whether
internal networks and firewalls are vulnerable
to attacks, and recommends corrective action
for identified vulnerabilities.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 33/93
Pen-Test Using SATAN, SA R A andSecurity Analyzer
Security Auditor's R esearch Assistant (SA R A) isa third generation Unix-based security analysistool.
SATAN is considered to be one of thepioneering tools that led to the development of vulnerability assessment tools
Security Analyzer helps in preventing attacks,
protecting the critical systems and safeguardsthe information.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 34/93
Pen-Test Using STAT Analyzer
STAT Analyzer is a vulnerability assessment utility thatintegrates state-of-the-art commercial network modeling and scanning tools.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 35/93
VigilEnt
VigilENT helps in protecting systems by assessing policy
compliance; identifying security vulnerabilities and helps
correct exposures before they result in failed audits,
security breaches or costly downtime.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 36/93
WebInspect
WebInspect complements firewalls and intrusiondetection systems by identifying Web applicationsecurity holes, defects or bugs with a security
suggestion
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 37/93
EvaluatingDifferent Types of Pen-TestTools
The different factors affecting the type of toolselected includes:
Cost
Platform Ease of use
Compatibility
R eporting capabilities
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 38/93
Asset Audit
Typically, an asset audit focuses on what needs
to be protected in an organization.
The audit enables organizations to specify what
they have and how well these assets have been
protected.
The audit can help in assessing the risk posed
by the threat to the business assets.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 39/93
Fault Tree and Attack Trees
Commonly used as a deductive, top-downmethod for evaluating a system¶s events
Involves specifying a root event to analyze),
followed by identifying all the related events (orsecond-tier events) that could have caused theroot event to occur.
An attack tree provides a formal, methodical
way of describing who, when, why, how, and with what probability an intruder might attack a system.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 40/93
GAP Analysis
A gap analysis is used to determine how complete a system's security measures are.
The purpose of a gap analysis is to evaluate the
gaps between an organization's vision (where it wants to be) and current position (where it is).
In the area of security testing, the analysis istypically accomplished by establishing theextent to which the system meets therequirements of a specific internal or externalstandard (or checklist).
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 41/93
Threat
Once a device inventory has been compiled, the
next step in this process is to list the different
security threats.
The pentest team can list the different security threats that each hardware device and software
component might face.
The possible threats could be determined by identifying the specific exploits that could cause
such threats to occur.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 42/93
Business Impact of Threat
After a device inventory has been compiled, the
next step is to list the various security threats
that each hardware device and software
component faces. The pentesters need rate each exploit and threat
arising out of the exploit to assess the business
impact. A relative severity can then be assigned to each
threat.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 43/93
Internal Metrics Threat
Internal metrics is the information available within the organization that can be used forassessing the risk.
The metrics may be arrived differently by pentest teams depending on the methodfollowed and their experience with theorganization
Sometimes this may be a time consuming effortor the data may be insufficient to be statistically valid.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 45/93
CalculatingR elative Criticality
Once high, medium, and low values have been
assigned to the probability of an exploit being
successful, and the impact to the business
should the event occur, it then becomespossible to combine these values into a single
assessment of the criticality of this potential
vulnerability.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 46/93
Test Dependencies
From the management perspective, it would be
approvals, agreement on rules of engagement,
signing a contract for non-disclosure as well as
ascertaining the compensation terms.
Post testing dependencies would include proper
documentation, preserving logs, recording
screen captures etc.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 47/93
Defect Tracking Tools
Web Based Bug/Defect Tracking Software
By Avensoft.com
Bug Tracker Server is a web based bug/defect tracking softwarethat is used by product developers and manufacturers it tomanage product defects
SWB Tracker
By softwarewithbrains.com
SWBTracker supports multi-user platforms with concurrentlicensing
Advanced Defect Tracking Web Edition By http://www.borderwave.com
The software allows one to track bugs, defects feature requestsand suggestions by version, customer etc.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 48/93
Disk R eplication Tools
Snapback DUP
By http://www.hallogram.com
This utility is programmed to create an exact image backup of aserver or Workstation hard-drive.
DaffodilR eplicator By http://www.daffodildb.com
DaffodilR eplicator is a tool that enables the user tosynchronize multiple data sources using a Java application
Image MASSter 4002i
By http://www.ics-iq.com
This tool allows the user to figure out a solution in setting up a workstation and operating system roll out methods.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 49/93
DNS Zone Transfer Testing Tools
DNS analyzer
http://www.solarwinds.net/Tools/IP_Address_Management/DNS%20Analyzer/index.ht
The DNS Analyzer application is used to display theorder of the DNS resource records.
Spam blacklist ±
http://www.solarwinds.net/Tools/EmailMgmt
D
NS Blacklists are a popular tool used by e-mailadministrators to help block reception of SPAM intotheir mail systems.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 50/93
Network Auditing Tools
eTrust Audit (AUDIT LOG R EPOSITIR Y)
By http://ca.com
This tool does not have a reduction in the system performanceand it undertakes loads of network traffic, which is made by other auditing products.
iInventory
BY http://www.iinventory.com
The iInventory program enables the user to audit a Windows,Mac or Linux operating system for detailed hardware and
software configuration. Centennial Discovery
This Discovery program has a unique pending L AN Probesoftware, which is able to locate every IP hardware which isconnected to the network.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 51/93
Trace R oute Tools and Services
Trellian Trace R oute
By www.tucows.com
Trace route application allows the websiteadministrator to see how many servers his website is
passing through before it gets into the computer,informing the website administrator if there are any problem causing servers and even gives a ping timefor each server in the path.
Ip Tracer 1.3 By www.soft32.com
Ip tracer is an application which is made for trackingdown spammers.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 52/93
Network Sniffing Tools
Sniff¶em
By -//www.sniff-em.com/
Sniff'em is a competitively priced, performance minded Windows
based Packet sniffer, Network analyzer and Network sniffer, a
revolutionary new network management tool designed from the
ground up with ease and functionality in mind.
PromiScan
By www.shareup.com
PromiScan has better monitoring capabilities by providing nonstop
watch to detect immoral programs starting and ending without
increasing the network load.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 53/93
Denial of Service Emulation Tools
FlameThrower By www.antara.net
It generates real-world Internet traffic from a single network appliance, so users can decide the overall site capacity andperformance and pinpoint weaknesses and potentially fatal bottlenecks.
Mercury LoadR unner By http://www.mercury.com
The Mercury LoadR unner application is the industry-standardperformance-testing product for the system¶s behavior andperformance.
ClearSight Analyzer By www.spirentcom.com
ClearSight Analyzer has many features this includes an Application Troubleshooting Core that is used to troubleshootapplications with visual representations of the information.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 54/93
Traditional Load Testing Tools
POR TENT Supreme
By www.loadtesting.com
Portent Supreme is a featured tool for generating largeamounts of HTTP, which can be uploaded into the webserve.
WebMux By www.redhillnetworks.com/
WebMux load balancer can share the load among a largenumber of servers making them appear as one large virtualserver.
SilkPerformer By www.segue.com/
SilkPerformer enables the user to exactly predict the weaknesses in the application and its infrastructure before it isdeployed, regardless of its size or complexity.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 55/93
System Software Assessment Tools
System Scanner By www.iss.net
The System Scanner network security application operates asan integrated component of Internet Security Systems' security management platform, assessing host security, monitoring,detecting and reporting system security weaknesses.
Internet Scanner By www.shavlik.com
This utility has a simple, spontaneous interface that allows theuser to accurately control which groups are going to be scannedand by what principle, when and how they are installed.
Database Scanner By www.iss.net
The database scanner assesses online business risks by identifying security exposures in leading database applications.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 56/93
Operating System Protection Tools
Bastille Linux - URL:www.bastille-linux.org
Bastille Linux is programmed to inform the installing
administrator about the issues regarding security concerned in
each of the script¶s tasks.
Engarde Secure Linux - URL: www.engardelinux.org
EngardeL
inux provides greater levels of support, support formore advanced hardware and more sophisticated upgrade path
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 57/93
Fingerprinting Tools
@Stake LC 5 ± URL: www.atstake.com
@Stake LC5 decreases security risk by assisting the
administrators to identify and fix security holes that
are due to the use of weak or easily deduced
passwords
Foundstone - URL: www.foundstone.com
Foundstone's fully automated approach to
vulnerability remediation enables organizations to
easily track and manage the vulnerability fix process
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 58/93
Port Scanning Tools
Superscan
By www.foundstone.com
This utility can scan through the port at a good speed and italso has this enhanced feature to support unlimited IP ranges.
Advanced Port Scanner By www.pcflank.com
Advanced Port Scanner is a user-friendly port scanner thatexecutes multi-threaded for best possible performance.
AW Security Port Scanner
By www.atelierweb.com
Atelier Web Security Port Scanner (AWSPS) is a resourcefulnetwork diagnostic toolset that adds a new aspect of capabilities to the store of network administrators andinformation security professionals
Di d Fil A C l
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 59/93
Directory and File Access ControlTools
Abyss Web Server for windows By www.aprelium.com
The Abyss Web server application is a small personal webserver, that can support HTTP/1.1 CGI scripts, partialdownloads, caching negotiation, and indexing files.
GFI L ANguard Portable Storage Control By www.gfi.com
The GFI L ANguard Portable Storage Control tool allowsnetwork administrators to have absolute control over whichuser can access removable drives, floppy disks and CD driveson the local machine.
Windows Security Officer By www.bigfoot.com
The Windows Security Officer application enables the network administrator to protect and totally control access to all thesystems present in the L AN.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 61/93
PasswordDirectories
Passphrase Keeper 2.60
By www.passphrasekeeper.com
Passphrase Keeper enables the user to safely save
and manage all the account information such as user
names, passwords, PINs, credit card numbers etc.
IISProtect
By www.iisprotect.com
IISProtect does the function of authenticating the
user and safeguarding passwords
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 62/93
Password Guessing Tools
Webmaster Password Generator By www.spychecker.com
The Webmaster Password Generator application is a powerfuland easy to use tool, which is used to create a large list of random passwords
Internet Explorer Password R ecovery Master By www.rixler.com
Internet Explorer Password R evealer is a password recovery tool programmed for watching and cleaning the password andform data stored by Internet Explorer.
Password R ecovery Toolbox
By www.rixler.com Internet Password R ecovery Toolbox can recover passwords
that fall into any one of these categories ± Internet ExplorerPasswords, Network and Dial-Up Passwords & Outlook ExpressPasswords
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 63/93
Link Checking Tools
Alert Link R unner
By www.alertbookmarks.com
Alert Link R unner is an application the checks the validity of hyperlinks on a Web Page or site and across an entireEnterprise Network.
Link Utility
By www. net-promoter.com
Link Utility is an application which has many functions. Thisincludes checking links in the site and keeping the site fit.
LinxExplorer By www.linxexplorer.com
LinxExplorer is a link verification tool that enables the user tofind out and validate websites and html pages which have broken links.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 64/93
Web-Testing based Scripting Tools
Svoi.NET PHP Edit
By www.soft.svoi.net
Svoi.NET PHP Edit is a utility that enables the user to edit, test and
debug PHP scripts and HTML/XML pages.
OptiPerl
By www.xarka.com
OptiPerl enables the user to create CGI and console scripts in Perl,
offline in Windows.
Blueprint Software Web Scripting Editor
By www.blueprint-software.net
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 65/93
Buffer O verflow Protection Tools
StackGuard
By www.immunix.org
It is a compiler that protects the program against "stack smashing" attacks.
FormatGuard By www.immunix.org
It is designed to provide solution to the potentially largenumber of unknown format bugs.
R aceGuard
By www.immunix.org
R ace Guard protects against "file system race conditions". Inrace conditions the attacker seeks to exploit the time gap between a privileged program checking for the existence of afile, and the program actually writing to that file.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 66/93
File encryption Tools
Maxcrypt
By kinocode.com/maxcrypt.htm
Maxcrypt is an automated computer encryption which allowsthe user not to worry about security regarding the message which is being sent.
Secure IT
By www.cypherix.co.uk/secureit2000/
Secure IT is a compression and encryption application thatoffers a 448bit encryption and has a very high compression rate
Steganos By http://.steganos.com/?product=SSS7&language=en
The Steganos Internet Trace Destructor application deletes 150 work traces and caches cookies
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 67/93
Database Assessment Tools
EMS MySQL Manager By http://ems-hitech.com/mymanager/
EMS MySQL Manger gives strong tools for MySQL DatabaseServer administration and also for O bject management. TheEMS MySQL manger has a Visual Database manager that candesign a database within seconds.
SQL Server Compare By http://sql-server-tool.com
The SQL Server Comparison Tool is a windows applicationused for analyzing, comparing and effectively documentingSQL Server databases.
SQL Stripes By http://www.sql-server-tool.com/
SQL Stripes is a program that helps Network Administrators tohave a complete control over the various SQL servers.
Keyboard Logging and Screen
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 68/93
Keyboard Logging and ScreenR eordering Tools
Spector Professional 5.0 By www.spectorsoft.com
The Spector Keylogger has a feature named ³ Smart R ename´that helps one to rename keylogger¶s executable files andregistry entries by using just one.
Handy Keylogger By www.topshareware.com
It is a stealth keylogger for home and commercial use. TheKeylogger captures international keyboards, major 2-byteencodings and character sets.
Snapshot Spy By www.snapshotspy.com
It has a deterrent feature which activates a pop up showing a warning that the system is under surveillance. It is stealth innature.
System Event Logging and Reviewing
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 69/93
System Event Logging and R eviewingTools
LT Auditor+ Version 8.0 By http://www.bluelance.com
It monitors the network and user activities round the clock.
ZVisual R ACF
By www.consul.com
ZVisualR ACF makes the job of help desk staff and network administrators easy, as they can perform their day-to-day tasksfrom Windows workstation.
Network Intelligence Engine LS Series
It is an event log data warehouse system designed to addressthe information overload in distributed enterprise and serviceprovider infrastructures.
It is deployed as a cluster and can manage large networks
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 70/93
Tripwire and Checksum Tools
Tripwire for Servers By www.tripwire.com
Tripwire detects and points out any changes made tosystem and configuration files.
SecurityExpressions By www.pedestalsoftware.com
It is a centralized vulnerability management system.
MD5 MD5 is a cryptographic checksum program , which
takes a message of arbitrary length as input andgenerates the output as 128 bit fingerprint ormessage digest of the input.
MD5 is a command line utility that supports bothUNIX or MS-DOS/Windows platforms.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 71/93
Mobile-Code Scanning Tools
Vital Security By www.finjan.com
This tool protects the users from damaging mobile code, which isreceived by way of emails and the Internet
E Trust Secure Content Manager 1.1
By www3.ca.com E Trust Secure Content Manager gives users an built-in policy-basedcontent security tool that allows the program to fend of attacks from business coercion to network integrity compromises.
Internet Explorer Zone
Internet Explorer Zones are split into four default zones. Which arelisted as the Local intranet zone, The Trusted sites zone, TheR estricted Sites zone and The Internet zone.
The administrators are given the power to configure and manage therisk from mobile code
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 72/93
Centralized Security Monitoring Tools
ASAP eSMA R T Software Usage
By www.asapsoftware.com
This tool helps in identifying all the software installed across the organization
and also helps to detect unused applications and eliminate them.
WatchGuard VPN Manager
By www.watchguard.com
System administrators of large organizations can monitor and manage the tools
centrally using WatchGuard VPN Manager
NetIQ's Work Smarter Solution
By www.netiq.com
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 73/93
Web Log Analysis Tools
Azure Web Log By www.azuredesktop.com
The tool generates reports for hourly hits, monthly hits,monthly site traffic, operating system used by the users and browsers used by them to view the website and error requests.
AWStats
By awstats.sourceforge.net/
AWStats is a powerful tool with lots of features that gives agraphical representation of web, ftp or mail server statistics.
Summary By http://www.summary.net
It has more than 200 types of reports which help the user to getthe exact information what he wants abut the website.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 74/93
Forensic Data and Collection Tools
Encase tool By http://www.guidancesoftware.com
It can monitor network in real time withoutdisrupting operations.
SafeBack It is mostly used to backup files and critical data .
It creates a mirror image of the entire hard drive just like how photonegative is made
ILook Investigator By http://www.ilook-forensics.org
It supports Linux platforms. It has password andpass phrase dictionary generators.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 75/93
Security Assessment Tools
Nessus Windows Technology
By www.nessus.org
Nessus Windows Technology (NeWT) is a stand-alone vulnerability scanner
NetIQ Security Manager
By www.netiq.com
NetIQ Security Manager is an incident management tool whichmonitors the network in real-time , automatically responds to threatsand provides safekeeping of important event information from acentral console
STAT Scanner
By www.stat.harris.com
STAT Scanner scans the network for vulnerabilities and updates thesystem administrator with information regarding updates and patches
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 76/93
MultipleOS Management Tools
Multiple Boot Manager
By www.elmchan.org
Multiple Boot Manager(MBM), a ware is a low-level systemtool which helps to select any OS to boot with a menu.
Acronis OS Selector By www.acronis.com
AcronisOS Selector v5 is a boot and partition manager, whichallows the user to install more than 100 operating Systems
Eon By http://www.neoware.com
Eon 4000 is based on Linux that runs Windows, Unix, X Window, Internet, Java, and mainframe applications.
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 77/93
Phases of Penetration Testing
Pre-Attack Phase
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 78/93
Pre-Attack Phase
Pre-Attack Phase
PassiveReconnaissance
ActiveReconnaissance
Best Practices
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 79/93
Best Practices
It is vital to maintain a log of all the activities carriedout, the results obtained or note the absence of it.
Ensure that all work is time stamped andcommunicated to the concerned person within the
organization if it is so agreed upon in the rules of engagement.
While planning an attack strategy, make sure that youare able to reason out your strategic choices to the inputor output obtained from the pre-attack phase.
Look at your log and start either developing the tools you need or acquiring them based on need. This willhelp reduce the attack area that might be inadvertently passed over.
Results that can be Expected
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 80/93
R esults that can be Expected
This phase can include informationretrieval such as:
Physical and logical location of the
organization. Analog connections.
Any contact information
Information about other organizations Any other information that has potential toresult in a possible exploitation.
Passive Reconnaissance
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 81/93
Passive R econnaissance
Pre-Attack Phase
Directory Mapping
Competitive Intelligence
Gathering
Asset Classification
Retrieving RegistrationInf ormation
Product/Ser viceOfferings
Document Sifting
Social Engineering
Passive Reconnaissance
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 82/93
Passive R econnaissance
Activities involve± Mapping the directory structure of the web serversand FTP servers.
± Gathering competitive intelligence
± Determining worth of infrastructure that isinterfacing with the web.
± R etrieving network registration information
± Determining the product range and service offeringsof the target company that is available online or can be
requested online.± Document sifting refers to gathering informationsolely from published material.
± Social engineering
Active Reconnaissance
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 83/93
Active R econnaissance
Some of the activities involved are:
Network Mapping
Perimeter mapping
System and Service Identification
± Through port scans.
Web profiling.
± This phase will attempt to profile and map theinternet profile of the organization.
A k Ph
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 84/93
Attack Phase
Attack Phase
PenetratePerimeter
Acq uire Target
Escalate Priveleges
Execute, Implant, Retract
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 85/93
A i i W b A li i T i I
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 86/93
Activity: Web Application Testing - I
Testing methods for web application testing include butare not limited to: Input Validation: Tests include OS command injection, script
injection, SQL injection,LD AP injection and cross sitescripting.
Output Sanitization: Tests include parsing special charactersand verifying error checking in the application.
Checking for Buffer O verflows: Tests include attacks againststack overflows, heap overflows and format string overflows.
Access Control: Check for access to administrative interfaces,sending data to manipulate form fields, attempt URL query strings, change values on the client-side script and attack cookies.
Denial of Service: Test for DoS induced due to malformed userinput, user lockout and application lockout due to trafficoverload, transaction requests or excessive requests on theapplication.
A ti it W b A li ti T ti II
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 87/93
Activity: Web Application Testing - II
Component checking: Check for security controls on web server /application component that might expose the web application to vulnerabilities.
Data and Error Checking: Check for data related security lapsessuch as storage of sensitive data in the cache or throughput of sensitive data using HTML.
Confidentiality Check: For applications using secure protocols and
encryption, check for lapses in key exchange mechanism, adequatekey length and weak algorithms.
Session Management: Check time validity of session tokens, lengthof tokens, expiration of session tokens while transiting from SSL tonon-SSL resources, presence of any session tokens in the browserhistory or cache and randomness of session ID (check for use of user data in generating ID).
Configuration Verification: Attempt manipulation of resourcesusing HTTP methods such as DELETE and PUT, check for versioncontent availability and any visible restricted source code in publicdomains, attempt directory and file listing, test for known vulnerabilities and accessibility of administrative interfaces inserver and server components.
A ti it Wi l T ti
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 88/93
Activity: Wireless Testing
Testing methods for wireless testing include but are notlimited to: Check if the access point¶s default Service Set Identifier (SSID)
is easily available. Test for ³broadcast SSID´ and accessibility tothe L AN through this. Tests can include brute forcing the SSID character string using tools like Kismet.
Check for vulnerabilities in accessing the W L
AN through the wireless router, access point or gateway. This can include verifying if the default Wired Equivalent Privacy (WEP)encryption key can be captured and decrypted.
Audit for broadcast beacon of any access point and check allprotocols available on the access points. Check if layer 2switched networks are being used instead of hubs for accesspoint connectivity.
Subject authentication to playback of previous authenticationsin order to check for privilege escalation and unauthorizedaccess.
Verify that access is granted only to client machines withregistered MAC addresses.
A ti it A i i T t
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 89/93
Activity: Acquiring Target
We refer to acquiring a target as the set of activitiesundertaken where the tester subjects the suspectmachine to more intrusive challenges such as
vulnerability scans and security assessment.
Testing methods for acquiring target include but are notlimited to:
Active probing assaults: This can use results of network scansto gather further information that can lead to a compromise.
R unning vulnerability scans: Vulnerability scans are completedin this phase.
Trusted systems and trusted process assessment: Attempting toaccess the machine¶s resources using legitimate informationobtained through social engineering or other means.
A ti it E l ti P i il
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 90/93
Activity: Escalating Privileges
Once the target has been acquired, the tester attemptsto exploit the system and gain greater access toprotected resources.
Activities include (but are not limited to):
The tester may take advantage of poor security policies andtake advantage of emails or unsafe web code to gatherinformation that can lead to escalation of privileges.
Use of techniques such as brute force to achieve privilegedstatus. An example of tools includes tools such as getadmin,password crackers etc.
Use of trojans and protocol analyzers.
Use of information gleaned through techniques such as socialengineering to gain unauthorized access to privilegedresources.
A ti it E t I l t & R t t
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 91/93
Activity: Execute, Implant & R etract
In this phase, the tester effectively compromisesthe acquired system by executing arbitrary code.
The objective here is to explore the extent to
which security fails.
Executing exploits already available or specially craftedto take advantage of the vulnerabilities identified in thetarget system
P t Att k Ph & A ti iti
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 92/93
Post Attack Phase & Activities
This phase is critical to any penetration test as it is theresponsibility of the tester to restore the systems to thepre-test state.
Post attack phase activities include some of thefollowing:
Removing all files uploaded on the system Clean all registry entries and remove vulnerabilities
created.
Removing all tools and exploits from the testedsystems
Restoring the network to the pre-test stage byremoving shares and connections.
Analyzing all results and presenting the same to theorganization
Penetration Testing Deliverable
8/9/2019 hacking Module 18
http://slidepdf.com/reader/full/hacking-module-18 93/93
gTemplates
A pentest report will carry details of theincidents that have occurred during the testingprocess and the range of activities carried out
by the testing team.
Broad areas covered include objectives,observations, activities undertaken andincidents reported.
The team may also recommend corrective
actions based on the rules of enagagement
top related