Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1.

Published byLee Singleton Modified over 8 years ago

Similar presentations

Presentation on theme: "Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1."— Presentation transcript:

1 Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1

2 1 2 3 4 5 6 Methodology Introduction Technical Walkthrough of Testing Tools Further Learning Questions 2

3 Who is this guy in front of me?? 3 GOOD Question Background: Penetration Tester for 12 years Network Engineer for 13 years In IT for 15 years Regulatory Technology Tester 5 years Specializes in mobile technologies and communications Social Engineering Physical Security

4 4 Who is this guy in front of me?? Talks: NotACon Secure360 SecurityBSides Chicago Rochester Dallas-Fort Worth Los Angeles Las Vegas DeepSec SecTor ISSA / ISSACA Meetings Hacker Space Invitationals

5 5 Who is this guy in front of me?? Publications: “Mapping The Penetration Tester’s Mind: An Auditors Introduction to PenTesting” (Book) – Late 2012 “Mapping The Penetration Tester’s Mind: An Auditors Introduction To PenTesting” (Presentation) – 2012 “Mapping The Penetration Tester’s Mind: 0 to Root in 60 Min” - 2012 “Weaponizing The Smartphone – Protecting Against The Perfect WMD” – 2011 “Weaponizing The Smartphone – Deploying The Perfect WMD” – 2011 “Don’t Bit The ARM That Feeds You – Integrating Mobile Technologies Securely Into Mature Security Programs” – 2011 “Bond Tech – I Want More Than Movie Props” - 2011

6 What is a penetration test? –A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. wikipedia INTRODUCTION 6

7 Penetration tests are valuable for several reasons: –Determining the feasibility of a particular set of attack vectors –Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence –Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software –Assessing the magnitude of potential business and operational impacts of successful attacks –Testing the ability of network defenders to successfully detect and respond to the attacks –Providing evidence to support increased investments in security personnel and technology Wikipedia INTRODUCTION 7

8 Testing Types –White Box Testing In penetration testing, white-box testing refers to a methodology where an ethical hacker has full knowledge of the system being attacked. The goal of a white-box penetration test is to simulate a malicious insider who has some knowledge and possibly basic credentials to the target system. –Black Box Testing In penetration testing, black-box testing refers to a methodology where an ethical hacker has no knowledge of the system being attacked. The goal of a black-box penetration test is to simulate an external hacking or cyber warfare attack. wikipedia INTRODUCTION 8

9 1 2 3 4 5 6 Methodology Introduction Mapping The PenTester’s Mind Tools Further Learning Questions 99

10 METHODOLOGY 10

11 Reconnaissance –Using non-intrusive methods to enumerate information about the network under test. DNS, Whois and Web searching are used. –Objective: To enumerate the target organization's “Internet Footprint”, which represents the sum of all active IP addresses and listening services and to identity potential vulnerabilities METHODOLOGY 11

12 Network Surveying & Vulnerability Scanning –This is the process of refining the target list produced during the passive reconnaissance phase by using more intrusive methods such as port scanning, service and OS fingerprinting, and vulnerability scanning. Nmap, Nexpose and other scanning tools are used. –Objective: To obtain visibility in the network; Determining which devices are targets and enumerating possible threats to the network. METHODOLOGY 12

13 Vulnerability Research & Verification –In this phase, a vulnerability scanner is run against the devices gathered in previous phases. –Objective: To take knowledge gathered in previous phases, check for known vulnerabilities and configuration error. –Objective: To obtain access to services and devices that are not available through configuration error and vulnerability exploitation. METHODOLOGY 13

14 Password Attacks –Services with authenticated logins are tested against a username and password list created in previous phases. –Objective: To verify password policies, best practices, and complexity requirements are in use and properly enforced. METHODOLOGY 14

15 Reporting and Analysis –In this phase, an analysis of the results found during the automated and manual aspects of the assessment. –Objective: To build a deliverable containing the greatest risks to the organization being testing. METHODOLOGY 15

16 1 2 3 4 5 6 Methodology Introduction Mapping The PenTester’s Mind Tools Further Learning Questions 16

17 TOOLS 17

18 1 2 3 4 5 6 Methodology Introduction Mapping The PenTester’s Mind Tools Further Learning Questions 18

19 Who should do the test? Mapping The PenTester’s Mind 19

20 20 Mapping The PenTester’s Mind Interview the vendor AND the Tester Experience Levels of the Tester –Free range –Enterprise class Know the data retention policy Create a relationship with your tester –they are your guide not only an employee or consultant

21 SOWs & SCOPE Mapping The PenTester’s Mind 21

22 The single most important thing to have when performing a penetration test is permission The second is a clear scope for your testing Then… –Identify any testing restrictions such as black outs or DoS attacks –Discuss real-time disclosures of immediate risks –Establish an emergency escalation process in the event the testing goes awry Before you begin… 22

23 Don’t assume that everyone is aware of your testing. Many times the proper staff is not notified of on- going testing until it is too late Be careful when impersonating real third party companies Verify IP typos during testing Get permission if you are going to poke a vulnerable box that is out of scope Watch out! 23

24 DISCOVER TARGETS Mapping The PenTester’s Mind 24

25 NMAP 25

26 Metasploit Scanning 26

27 Metasploit Scanning 27

28 VULNERABILITY ASSESSMENT Mapping The PenTester’s Mind 28

29 Nexpose Scanning 29

30 Nexpose Scanning 30

31 MAN IN THE MIDDLE Mapping The PenTester’s Mind 31

32 32 EXECUTE ARP POISON

33 EXPLOITATION 33 Mapping The PenTester’s Mind

34 Low Hanging Fruit Think outside the box Exploitation does not always require there to be a technical vulnerability Leverage the Human Factor Administrators want things to be easy to support 34 Mapping The PenTester’s Mind

35 MS08-067 35

36 MS08-067 36

37 37 Mapping The PenTester’s Mind

38 38 Mapping The PenTester’s Mind

39 CREDENTIAL AND HASH COLLECTION 39 Mapping The PenTester’s Mind

40 40 COLLECTING CREDENTIALS – HTTP/HTTPS

41 41 COLLECTING CREDENTIALS - SMB

42 42 Mapping The PenTester’s Mind

43 43 Mapping The PenTester’s Mind

44 44 Mapping The PenTester’s Mind

45 PASS-THE-HASH (NOT THAT KIND) 45 Mapping The PenTester’s Mind

46 46 Mapping The PenTester’s Mind

47 47 Mapping The PenTester’s Mind

48 48 Mapping The PenTester’s Mind

49 49 Mapping The PenTester’s Mind

50 50 PSEXEC WITH A LOCAL ACCOUNT HASH

51 51 PSEXEC WITH A LOCAL ACCOUNT HASH

52 52 CREATE LOCAL ADMINISTRATOR ACCOUNT

53 53 REMOTE DESKTOP VIA RAPID7 LOCAL ADMIN

54 LOCAL ADMIN… MEH, THAT’S NOT MY DOMAIN 54 Mapping The PenTester’s Mind

55 INCOGNITO 55 Mapping The PenTester’s Mind

56 56 Mapping The PenTester’s Mind

57 57 Mapping The PenTester’s Mind

58 58 Mapping The PenTester’s Mind

59 59 Mapping The PenTester’s Mind

60 60 Mapping The PenTester’s Mind

61 61 Mapping The PenTester’s Mind

62 62 Mapping The PenTester’s Mind

63 63 Mapping The PenTester’s Mind

64 64 Mapping The PenTester’s Mind

65 65 Mapping The PenTester’s Mind

66 66 Mapping The PenTester’s Mind

67 67 Mapping The PenTester’s Mind

68 PSEXEC 68 Mapping The PenTester’s Mind

69 69 PSEXEC WITH DOMAIN ADMIN ACCOUNT

70 70 SESSIONS CREATED WITH CREATED DOMAIN ADMIN

71 71 COMPLETE DOMAIN CONTROL

72 MY HARDWARE IS SAFE RIGHT?? 72 Mapping The PenTester’s Mind

73 73 NETWORK HARDWARE ACCESS – SSH SESSIONS

74 I trust ALL of my contractors… 74 LOCAL ACCESS

75 75 BOOT FROM USB

76 76 BOOT TO UNAUTHORIZED OS

77 77 MOUNT AND ACCESS LOCAL HARDDRIVE

78 78 REPLACE Sethc.exe

79 79 SYSTEM LEVEL CMD PROMPT ON LOGIN SCREEN

80 1 2 3 4 5 6 Methodology Introduction Tools Mapping The PenTester’s Mind Further Learning Questions

81 81 Further Learning www.offensive- security.com/metasploit-unleashed community.Rapid7.com SecurityBSides.com < WOOT WOOT!! Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni Local DC (DefCon) Groups & Meetings Local Hackerspaces

82 82 Mapping The PenTester’s Mind Taking a step by step approach makes the expansiveness of a network becomes very narrow and a single vulnerability can lead to a larger problem.

83 1 2 3 4 5 6 Methodology Introduction Tools Mapping The PenTester’s Mind Further Learning Questions 83

84 84 Questions? Kizz MyAnthia – Nick D. Senior Penetration Tester E-mail: KizzMyAnthia@GMail.comKizzMyAnthia@GMail.com Website: www.KizzMyAnthia.comwww.KizzMyAnthia.com Twitter: @Kizz_My_Anthia www.metasploit.com www.rapid7.com www.SecurityBSides.com

Download ppt "Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Educating System Testers in Vulnerability Analysis: Laboratory Development and Deployment Leonardo A. Martucci, Hans Hedbom, Stefan Lindskog, and Simone.

Educating System Testers in Vulnerability Analysis: Laboratory Development and Deployment Leonardo A. Martucci, Hans Hedbom, Stefan Lindskog, and Simone.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.

Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
APPLICATION SECURITY… WHAT’S THAT? AN INTRODUCTION TO APPLICATION SECURITY LEVEL 101.

APPLICATION SECURITY… WHAT’S THAT? AN INTRODUCTION TO APPLICATION SECURITY LEVEL 101.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.

1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang.

Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang.
Penetration Testing Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802

Penetration Testing Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
The Business of Penetration Testing

The Business of Penetration Testing

Similar presentations

Ads by Google