penetration testing training day
DESCRIPTION
Supported by. Penetration Testing Training Day. Penetration Testing Tools and Techniques – pt 1 Mike Westmacott, IRM plc. Hacking Systems. Financial gain Commercial secrets Credit card information Political motivations To discredit individuals Cause personal harm Lulz…. 2. - PowerPoint PPT PresentationTRANSCRIPT
Penetration Testing Training Day
Penetration Testing Tools and Techniques – pt 1
Mike Westmacott, IRM plc
Supported by
Presentation to insert name here 2
Hacking Systems
• Financial gain• Commercial secrets• Credit card information• Political motivations• To discredit individuals• Cause personal harm• Lulz….
Presentation to insert name here 3
Hacking Systems
•Weapons–Stuxnet– Flame
•0 day vulnerabilities•Expensive cryptographic attacks•Weaponised modules
Presentation to insert name here 4
Methodology
•Network/Host Mapping•Service Identification•Vulnerability Identification•Vulnerability exploitation•Privilege Escalation•Maintaining Access•Clearing Logs•Recording actions!
Presentation to insert name here 5
Host Mapping - Port Scanning
Presentation to insert name here 6
Port Scanning Demo
Basic syn scan – of a default Windows XP build
nmap –sSU –A –oA winxp 192.168.0.99
-sSU Use TCP SYN scan and UDP scan-A Perform all tests-oA winxpOutput multiple files
Presentation to insert name here 7
Vulnerability Scanners - Nessus
Venerable Nessus!Bad Nessus!Still a damn good toolFree
Presentation to insert name here 8
Exploitation!
Excitement! Risk! …. Danger!Who owns this box?Do you have permission (shouldn’t have been scanning it)Will they be really upset if you break it?
Service Exploitation
•Services available on Internet
•Or internally
•Research service
•Poke it
•Can you log onto in? Love default passwords :)
•What will it give you?
– VOIP phone with default password and access to memory
Example Services
•SMB – Server Message Block
– Protocol for application communication
– Authentication mechanisms
– Windows
– Win2K – 'null' user allows access to entire username directory
Example Services
•Veritas Netbackup
– TCP port 10000, NDMP
– File backup and backup agent management
– Vulnerability allows download of any file from Windows system
– Another overflows buffers and allows code execution
Buffer Overflows
Shell Code
Reverse Shell
Shell code executes TCP connection backStarts local shell processRedirects input and output streams over TCPAttacker gains command prompt
Under the account of the vulnerable process Meterpreter ShellPowerful toolLaunch further attacksPivot to other systems
Privilege Escalation
•Determine current priviledge level
•Add user?
•Exploit further?
•Professional hackers only need go so far…
Reporting
•Reporting carried out whilst testing
• Both technical details and executive summary
Vulnerability Ratings
• Impact
– What is the possible damage that could be done?
• Exploitability
– How easy is it to attack and realise the impact?
– How much knowledge is required?
– Are there public exploits?
•Risk Rating
– Combination of Impact and Exploitability
– High impact but low exploitability = low(er) risk
– Many algorithms
Metasploit Express