Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Strengths  Weakness  Security Interests  Something Fun 2.

Similar presentations


Presentation on theme: " Strengths  Weakness  Security Interests  Something Fun 2."— Presentation transcript:

1

2  Strengths  Weakness  Security Interests  Something Fun 2

3  Give students offensive knowledge to better defend computer networks  Hands-on security training to compliment theory, put theories into practice ◦ “Tell me and I'll forget; show me and I may remember; involve me and I'll understand.”  Knowledge sharing: the power of group learning 3

4  Group Exercise: What do you seen in the following pictures? 4

5  Increase experience with a multitude of security aspects  Network with other security-minded professionals  Play in a safe lab environment not offered at work or home  Earn CPEs to maintain certifications without high costs ◦ For CISSP  Preparing and presenting 2 hour presentation = 8 CPEs  Participating 1 hour = 1 CPE  Updating existing presentation (see ISC2 chart for specifics) 5

6  Have your questions answered, bring hard issues that require solutions  Improve public speaking and training skills 6

7 7 CEH Certified Ethical Hacker Study Guide CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010 Course Chapters: Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality Chapter 2: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering Chapter 3: Gathering Network and Host Information: Scanning and Enumeration Chapter 4: System Hacking: Password Cracking, Escalating Privileges, and Hiding Files Chapter 5: Trojans, Backdoors, Viruses, and Worms Chapter 6: Gathering Data from Networks: Sniffers Chapter 7: Denial of Service and Session Hijacking Chapter 8: Web Hacking: Google, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking Techniques Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows Chapter 10: Wireless Network Hacking Wi-Fi and Ethernet Chapter 11: Physical Site Security Chapter 12: Hacking Linux Systems Chapter 14: Cryptography Chapter 15: Performing a Penetration Test Amazon.com

8  Class 1: Methodologies and Lab Setup  Class 2: Passive Information Gathering  Class 3: Active Information Gathering (Nessus)  Class 4: Wireless and Wired Network Enumeration  Class 5: Target System Penetration  Class 6: Privilege Escalation, Maintaining Access, and Malware  Class 7: Web Application Penetration  Class 8: Covering Tracks, IDS, Reporting, and Cleanup  Class 9: Metasploit  Class 10: Physical Security (Lock Picking etc.)  Class 11: Capture the Flag 8

9  Active Information Gathering  Ping  Port Scan  Operating System Fingerprinting  Intrusion Detection Systems  Exercises 9

10 DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission! Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in fines and imprisonment. 10

11 Information Systems Security Assessment Framework (ISSAF) 11

12  Critical Services  Key Employees  Partner Companies  Company Website, IP and addresses  Physical address and location  Domain names  Types of operating systems, databases, servers, protocols, and programming languages used (basic) 12

13  The process of searching for information that an attacker could potentially use to exploit the target network  Identify live systems  Map the network  Types of operating systems, databases, servers, protocols, and programming languages used (in-depth)  Identify system vulnerabilities 13

14  More information about the target can make the penetration test easier during the later phases ◦ “Know your enemies and know yourself, you will not be imperiled in a hundred battles.” –Sun Tzu, Art of War  “Generally, a hacker spends 90 percent of the time profiling and gathering information on a target and 10 percent of the time launching the attack.” -Kimberly Graves  “Good hackers will spend 90 – 95 percent of their time gathering information for an attack.” -Walker 14

15  Timing the Attack ◦ Example around patch releases Microsoft Patch Tuesday or Oracle CPU etc. ◦ Off hours such as holidays, vacations, or peak hours 15

16  Active ◦ Touch the device/network or talk to employees (vulnerability scan)  Passive ◦ Do not communicate/touch the target such as google searching for publicly available information. 16

17  Internet Control Message Protocol (ICMP) is the part of the TCP/IP protocol suite used to send error messages for network diagnostics  Ping is the most common type of ICMP message  Used to verify network connectivity  Sends an echo request to a system and waits for an echo response (only active systems respond)  Cannot show which services a system is running 17

18 Active system response Inactive system response Build Your Own Security Lab 18  Question: What does this image tell you? 1)System is down 2)Or Blocked

19 19

20  Command-line pinging only allows one system to be pinged at a time  Use a ping sweep to scan a large number of systems  SuperScan  Angry IP Scanner  Nmap  Nmap’s –sn option uses ping and TCP packets to find live hosts 20

21  Many administrators block ping from passing the gateway device  Ensure blocked activity is logged/notifications ◦ Configure rules, test, and monitor  Disable running services to prevent ping from identifying active systems  Shields Up is a scan that will show what ports and services are open on a local machine  Netstat  Currports 21 alert tcp any any -> /24 any (flags: A; ack: 0; msg: "TCP ping detected";)

22 22

23 23

24 24

25  Port Scanning ◦ Determine Open Ports and Services  Network Scanning ◦ Identify IP address on a network/subnet  Vulnerability Scanning ◦ Discover weaknesses on target systems 25

26  Do not scan without permission!  Can cause a DOS attack and go to Jail.  ISP might drop your scanning attempts and/or blacklist you 26

27  Kimberly Graves CEH Book 27

28  Determine when to scan ◦ Don’t risk discovery if you already know the host is easy to hack ◦ If a specific host is well guarded, opt for a less guarded host or implement a different strategy such as social engineering 28

29  Port scanning probes the 65,535 TCP and UDP ports to discover listening services on a target system  An attacker can determine the best means of attacking a system by knowing the open services and version numbers  Most scans only look at first 1024 ports since those ports are often hacked  FTP (20/21)  Telnet (23)  SMTP (25)  DNS (53)  TFTP (69)  HTTP (80)  SNMP (161/162) 29

30  Malicious software default ports ◦ port 1095 Remote Administration Tool – RAT ◦ port 7777 Tini ◦ port Trinoo ◦ port Back Orifice  Weak protocol ports  FTP (20/21)  Telnet (23)  Common Windows ports 30

31  Common Linux software based ports  Common Apple Used Ports:  Look for software that only runs on a specific O/S 31

32  Open – accepting incoming requests  Closed – accessible but no application listening on it  Filtered – firewall screening the port  Unfiltered – determined to be closed, no firewall  Open | Filtered – unsure if open or filtered  Closed | Filtered – unsure if closed or filtered 32

33  Applications use TCP/UDP ports to use the correct protocols for network communication  TCP uses a three-step handshake to open a data link and a four-step shutdown to close the link  A one-byte flag field controls communication (URG, ACK, PSH, RST, SYN, FIN)  Nmap manipulates the flags to identify active systems  UDP does not use handshaking, so it is faster but less reliable and easier to spoof. “Fire and Forget” 33

34 SYN Sequence # 110 (+1) SYN ACK (Your) Sequence # 111 (My) Sequence # 225 (+1) ACK (Your) Sequence # 226 (My) Sequence # 111 Data FIN Sequence # 310 (+1) ACK (Your) Sequence # 311 ACK (Your) Sequence # 416 FIN (My) Sequence # 415 (+1) Startup Process Shutdown Process 34

35 35

36  SYN –Initiates connection b/w hosts  ACK – Established connection b/w hosts  PSH –System is forwarding buffered data  URG –Data in packets processed quickly  FIN –No more transmissions  RST –Resets the connection 36

37  All scans will display RST for closed ports, except for an ACK scan which will return no response. 37

38  RPC scan: determine if open ports are RPC ports  Idle scan: use idle host to bounce packets and make the scan harder to trace IPID Probe IPID Response IPID = Victim AttackerIdle Host SYN SYN/ ACK RST IPID = IPID Probe IPID Response IPID = Open Port Idle Scan IPID Probe IPID Response IPID = Victim AttackerIdle Host SYN RST IPID Probe IPID Response IPID = Closed Port Idle Scan 38

39  GUI-based  Nmap, SuperScan  Command line-based  Nmap, hping2  Nmap is an open source network mapping and security auditing tool that modifies IP packets to gain information about active systems 39

40  Basic scan options:  -sS (TCP SYN)  -sT (TCP Full) TCP Full Connect Example 40

41  Nmap switches: 41 Scan Types Ping options Output Scan Speed

42  The free cross-platform Nmap GUI  Additional features:  Save scan results  Save scan options for repetitive scans  Sort scans by host, port, and service  Display scan results in a more user-friendly format  Display a visual interpretation of traceroute Nmap.org 42

43 hping2 --scan S localhost Scanning localhost ( ), port ports to scan, use -V to see all the replies |port| serv name | flags |ttl| id | win | sunrpc :.S..A All replies received. Done. Not responding ports: 43

44  Only keep necessary ports open  Periodically check for open ports and close unused ports  Employee policies, training, and rules of behavior  Filter traffic through a stateful inspection firewall  IDS  Change service banners so that they return incorrect information 44

45  Find high value targets and or weak targets  Actively modify and send IP packets to the target to elicit a response that can identify the host operating system  FIN probe, ACK value, Bogus Flag probe  More accurately determine the target OS  Nmap’s –O and xprobe2’s listening mode can actively identify operating systems  The target computer can more easily detect active OS fingerprinting scans 45

46  Stealthier by examining traffic on the network  Sniffing vs. Scanning  Less accurate 46

47  The -O option will try to match response packets to a database of known operating system fingerprints  Nmap’s -sV option can identify service banners on open ports  Limiters to speed up scans:  -osscan-limit  -max-os-tries 47

48  Block unneeded or suspicious traffic at the firewall  Use an Intrusion Detection System (IDS)  Set access control lists (ACL) on routers to block suspicious traffic 48

49 Intrusion detection systems (IDSs):  Inspect network/host activity  Identify suspicious traffic and anomalies  Snort, Suricata  Two categories of IDS:  Network-based intrusion detection systems  Host-based intrusion detection systems  IDSs are usually made of multiple software applications and/or hardware devices with the following systems  Network sensors  Central monitoring system  Report analysis  Database and storage components  Response box 49

50  Types of intrusion detection system engines or methods:  Signature-based  Anomaly-based If matched Signature-based If characteristic If uncharacteristic Anomaly-based 50

51 ToolPing Sweep Port Scan Passive OS Active OS GUICommand Line Host OS Nmap Win/Linux SuperScan Win Angry IP Scanner Win/Linux THC-Amap Linux TCPTraceroute Linux p0f Win/Linux xprobe2 Linux 51

52  Useful information to prepare for social engineering  Debt (payoff)  Disgruntled (layoffs from Mergers)  Vacations  Embarrassing information (blackmail)  How to get this information:  Run a credit report (illegal without permission)  Find out via facebook status etc.  Bugs/Cameras/Spies/Stakeout/Pick Pocket 52

53  Kevin Mitnick – Father of social engineering ◦ At age 12, socially engineered bus driver to circumvent the punch card system for LA buses ◦ Went on to hacking phones, systems etc. and was captured and put in solitary confinement due to fears that he could launch a nuclear missile by whistling into a phone 53

54  Wardriving – driving around a target with special equipment to record information about WAPs  Equipment: laptop with a wireless network interface controller, GPS device, antennae and network discovery tools (Kismet)  Warwalking – walking around or sitting near a target with a laptop and other equipment in a backpack  Warflying 54

55  Sniff Traffic on the WLAN for  Operating Systems  Ports/Services Information  Passwords  Misc Sensitive Information 55

56  Dial every number until find an unsecured modem  Still a problem ◦ Modem backup connection ◦ Old and never retired  Tools THC-Scan, PhoneSweep, and Telesweep  Prevention ◦ No Modem Policy ◦ Strong Passwords ◦ Test for Modems using tools ◦ Look for Modems (desk to desk checks) Kismet UI Main View 56

57  Proxies ◦ The proxy is seen as performing bad activities instead of you ◦ Free proxies are available to use such as ProxyChains ◦ Anonymizer  Caution: choose the right one, Anonymouse.org  Useful for blocked sites 57

58  Spoofing IP Address ◦ Nmap can spoof IP ◦ Caution: the data you want will go to the spoofed IP instead of you  The Onion Routing (TOR) ◦ Anyone can be a TOR endpoint +/- ◦ Client bounces internet request via random TOR clients  Tunneling  Hiding Files 58

59  You should now know specific information about the target system(s)  By knowing the active devices, open ports, running services, and device operating system, you can search for vulnerabilities to exploit and use the listening services to gain more information  Next class: Enumerating Target Systems  Questions? 59

60

61  Lab setup  Exercises ◦ Ping sweep ◦ Port scan ◦ Banner grabbing ◦ Passive OS identification ◦ Active OS identification ◦ Manual vulnerability identification ◦ Automated vulnerability identification (Nessus) 61

62 62  Host Operating System = Ubuntu (Linux)  Virtual Machine = Virtual Box  VM’s = Backtrack, Windows (Guest PC and XP-1), badstore  Each laptop has its own separate standalone lab environment  How to start the lab environment… 1) Open Virtual Box 2) Ensure that the Backtrack VM is powered on 3) Logon to Backtrack (root/toor) and type startx 4) Set the static IP address (.100) 5) Ensure that the badstore VM has the badstore CD mounted and then start the VM 6) Configure the badstore VM IP address via the following command: ifconfig eth0 up netmask

63  In the following Scenario, you will need to gather as much information about your target as possible that can be used in planning the attack.  Your target is example.com. The company has hired you to confirm that there security awareness programs and policies are working as intended. In other words, they want you to confirm that employees do not open unnecessary ports /services or use unapproved software which increases the attack surface of the company. 63

64 1. We are going to do a ping sweep of the local subnet. Open a command line terminal in BackTrack 2. Type nmap –sn /24 to perform a ping sweep over a range of IP addresses  List the IP addresses of running hosts 3. Type nmap -sn --send-ip to run the ping scan using ICMP ping.  List the IP addresses of running hosts, has the number changed? If so, why? 4. Open another command line terminal and type wireshark 5. Use the file menu to open a pcap file, File  Open  Desktop  Lab3  ping-blocked-pcap 6. Review the pcap and note that ping is blocked 64

65 7. Use the file menu to open additional pcap files, File  Open  Desktop  Lab3  ping-blocked-pcap File  Open  Desktop  Lab3  ping-allowed-timestamp-allowed- pcap File  Open  Desktop  Lab3  ping-blocked-timestamp-allowed- pcap 8. Review and compare the pcap files 65

66 1. We are going to do a ping sweep of the local subnet. Open the super scan folder on Guest PC, C:\lab-tools\superscan  Run superscan  SuperScan4.exe 2. Type the start IP ( ) and end IP ( ) and press the arrow button.  From the “Host and Services Discovery Tab” uncheck “UDP port scan” and “TCP port scan”  Then press the play button to perform a ping sweep over a range of IP addresses  List the IP addresses of running hosts 66

67 3. Now try the same IP range again but with the following settings  From the “Scan Options” Tab, uncheck “hide systems with no open ports” and rerun the scan  Note the number of systems now and the information provided  View the final scan via the “view html results” button 67

68 68  Note windows XP/Vista limitations

69 1. We are going to do a ping sweep of the local subnet. Open angryip from the Guest PC. Navigate to c:\lab- tools\angryip, run the.exe file 2. Type the IP range 3. From the file menu select tools  preferences, on the “scanning” tab check “scan dead hosts” 4. Press the start button to perform a ping sweep over a range of IP addresses  List the IP addresses of running hosts and note the duration of the scan and compare it to the nmap scan. 69

70 1. We are going to do a ping sweep of the local subnet. Open zenmap via the Backtrack command terminal: zenmap 2. Type the subnet to scan /24 and choose the ping scan profile and then press scan to perform a ping sweep over a range of IP addresses  List the IP addresses of running hosts  Press ctrl+p or from the menu  profile  new profile, review the options and note the hints for each option 70

71 1. We are going to do a ping sweep of the local subnet. Open nessus via the “Nessus Client” shortcut on the Guest PC desktop. (username = visitor, password= qwerty) 2. From the scan tab, launch the “host discovery” scan to perform a ping sweep over a range of IP addresses  List the IP addresses of running hosts  Review the scan results  Open My Documents and then open the pcap files to compare the pcap of nmap host discovery vs nessus host discovery pcap  Which pcap is larger and nosier? 71

72 1. Now that we know what hosts are running, we can port scan them. Open a command line terminal in BackTrack 2. Type nmap and hit Enter to view a list of options 3. Type nmap –sT your_target_IP_address to perform an Nmap full connect scan  List the open ports and services  Can you guess the OS from the services?  Use –vv to increase the verbosity of the scan output 4. Run the other Nmap scan options and note new information  -sS, -sA, -sF, -sV  Save scan results using –oN and –oX 72

73 1. Now that we know what hosts are running, we can port scan them. Open a command line terminal in BackTrack 2. Type wireshark and hit Enter 3. Use the file menu to open additional pcap files, File  Open  Desktop  Lab3  tcp-connection-example Note the three step handshake capture in the pcap. 73

74 1. Open Nessus, and from the “scan” tab luanch the port scan 2. Review the scan results and note the open ports 3. Review the scan policy and note the difference between the host discovery and port scan policies 74

75 1. Run CurrPorts C:\lab-tools\currports\cports.exe 2. CurrPorts will run immediately and will display all ports on your machine 3. Select a port and to to File  Properites. Review the process ID, port number, and other info. 4. You can close a suspicious connection via File  Close Selected TCP Connections. 5. Ensure that XP-1 host is up. From Guest PC, open a command terminal and type: telnet Refresh CurrPorts, and note the suspicious telnet connection. Follow step 4 above to close the connection. 75

76 1. From the Guest PC command prompt type netstat /? And review the help file 2. Type netstat –a –p tcp 10  List the open ports and services and compare to the nmap/nessus results  (optional) Ensure that XP-1 host is up. From Guest PC, open a command terminal and type: telnet  (optional) Review the netstat command and note the telnet connection 76

77 1. We will now try to gain some information from the services listening on the open ports. Open a command line terminal in BackTrack 2. You will now use the vi text editor to write a simple text file containing some HTTP commands 1.Type vi head.txt to open a new text file called “head.txt” and hit i to insert text 2.Type the following: GET HEAD / 1.0 CR 3.Hit Esc to stop inserting text, then hit Shift+z+z to save the file and quit the editor 3. You will now use netcat to try to gain some information from the open port 80 on the target. Type nc –vv < head.txt 4. What software and OS is the server running? 77

78 1. We will now try to gain some information from the services listening on the open ports. Open a command line terminal in BackTrack 2. Type : 1.telnet GET HEAD / What software and OS is the server running? 78

79 1. We are going to find out what operating system is running on one of Google’s servers. Open a command line terminal in BackTrack and set the DHCP IP address by typing dhclient eth3 2. Then Type: p0f –A 3. Open a web browser and go to freebsd.org  Take note of the output in the terminal window 4. Hit Ctrl+C to stop running p0f 5. Open Ettercap by typing ettercap –G and start unified sniffing on eth3 6. Navigate to View  Profiles 7. Navigate to Start  Start Sniffing 8. Go to freebsd.org again 9. Take note of the output in the Ettercap window 10. Compare to 79

80 1. We are going to perform active OS fingerprinting with Nmap and xprobe2 2. Open a command line terminal in BackTrack and type nmap –O your_target_IP_address (that is a capital O) to perform an operating system fingerprint  What is the general OS of the Windows machine? 1. Now use xprobe2 to perform host discovery. 2. From backtrack menu, application  Backtrack  Information Gathering  Network Analysis  OS Fingerprinting  xprobe2 3. Type./ xprobe2 your_target_IP_address  What is the best guess OS of the target? 80

81 1. We are going to perform active OS fingerprinting with Nessus. 2. From the scan tab, launch the “OS Discovery Scan”  Review the results and note which plugin is used for OS discovery  Compare the OS results to the NMAP results  Review the scan policy to see how OS discovery is enabled 81

82 1. From a command line in Backtrack type: wireshark 2. Sniff traffic on eth3 3. Open a command line terminal in BackTrack and type nmap -S e eth  Note that the responses do not go to your machine  Note that a spoofed IP can be used to frame a competing company and not just to hide your identify  Note the source address and target address in the pcap Type wireshark and hit Enter Use the file menu to open additional pcap files, File  Open  Desktop  Lab3  spoofed-ip-example 82

83 1. From the ubuntu machine use the web browser and navigate to  Choose English  Click on Your Calling Card without Anonymouse and Your Calling Card with Anonymouse to compare the results.Your Calling Card without AnonymouseYour Calling Card with Anonymouse 2. Enter a website to search anonymously and press the “surf anonymously” button 83

84  Review vulnerabilities at US Cert: cert.gov/cas/bulletins/ (released every Monday, always one week behind)http://www.us- cert.gov/cas/bulletins/  Pick a vulnerability based on OS/Service in the environment to review and note the following items: ◦ The CVE reference number ◦ Impact Scores (the higher the score the greater the impact) ◦ Vulnerable Versions 84

85  Use Hackerstorm to review vulnerabilities ◦ Go to to start the OSVDB hackerstorm toolhttp://www.hackerstorm.com/start.html ◦ Click the OSVDB search button at the bottom of the home screen. Scroll through the vendors and choose Putty, and then click the view button. ◦ From the next screen choose view all. Review the vulnerabilities listed and click one to view details. From the tool you can see the description, solution, references, etc. ◦ Note that this tool make it easy to search for vulnerabilities both old and new by vendor etc. 85

86  From the Nessus scan tab, launch the “Internal Network Scan” ◦ Review the scan results and look for vulnerabilities that are exploitable ◦ Review the and investigate patches that can be applied to fix an exploitable vulnerability ◦ Review the vulnerability via US CERT 86

87    Guide/dp/ /ref=sr_1_1?s=books&ie=UTF8&qid= &sr=1-1 Guide/dp/ /ref=sr_1_1?s=books&ie=UTF8&qid= &sr=1-1  Lab/dp/ /ref=sr_1_1?s=books&ie=UTF8&qid= &sr=1-1 Lab/dp/ /ref=sr_1_1?s=books&ie=UTF8&qid= &sr=1-1   Oceans 11 clip: Oceans 11 clip:  photos-go-online-in-new-archive html?action=gallery&ino=6 photos-go-online-in-new-archive html?action=gallery&ino=6   people.yahoo.com people.yahoo.com      87

88    National Vulnerability Database (nvd.nist.gov)  Exploit-Database (exploit-db.com)  Securitytracker (www.securitytracker.com)www.securitytracker.com  Securiteam (www.securiteam.com)www.securiteam.com  Hackerstorm Vulnerability Research (www.hackerstorm.com)www.hackerstorm.com  Hackerwatch (www.hackerwatch.org)www.hackerwatch.org  SecurityFocus (www.securityfocus.com)www.securityfocus.com  Security Magazine (www.securitymagazine.com)www.securitymagazine.com  SC Magazine (www.scmagazine.com)www.scmagazine.com   surveillance/ surveillance/   88

89  surveillance/ surveillance/    Sarah Palin             89

90            engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Too lkit_(SET) engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Too lkit_(SET)      90

91  PDF mapping tools to the different phases of Pen testing.  Review the list of tools and pick tools that you know and can demonstrate or that you would like to learn more about. 91 CEH Certified Ethical Hacker All-in-One Exam Guide Amazon.com

92  Social Engineering Toolkit  Maltego 92

93 93 TBD


Download ppt " Strengths  Weakness  Security Interests  Something Fun 2."

Similar presentations


Ads by Google