Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1
Methodology Introduction Technical Walkthrough of Testing Tools Further Learning Questions 2
Who is this guy in front of me?? 3 GOOD Question Background: Penetration Tester for 12 years Network Engineer for 13 years In IT for 15 years Regulatory Technology Tester 5 years Specializes in mobile technologies and communications Social Engineering Physical Security
4 Who is this guy in front of me?? Talks: NotACon Secure360 SecurityBSides Chicago Rochester Dallas-Fort Worth Los Angeles Las Vegas DeepSec SecTor ISSA / ISSACA Meetings Hacker Space Invitationals
5 Who is this guy in front of me?? Publications: “Mapping The Penetration Tester’s Mind: An Auditors Introduction to PenTesting” (Book) – Late 2012 “Mapping The Penetration Tester’s Mind: An Auditors Introduction To PenTesting” (Presentation) – 2012 “Mapping The Penetration Tester’s Mind: 0 to Root in 60 Min” “Weaponizing The Smartphone – Protecting Against The Perfect WMD” – 2011 “Weaponizing The Smartphone – Deploying The Perfect WMD” – 2011 “Don’t Bit The ARM That Feeds You – Integrating Mobile Technologies Securely Into Mature Security Programs” – 2011 “Bond Tech – I Want More Than Movie Props”
What is a penetration test? –A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. wikipedia INTRODUCTION 6
Penetration tests are valuable for several reasons: –Determining the feasibility of a particular set of attack vectors –Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence –Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software –Assessing the magnitude of potential business and operational impacts of successful attacks –Testing the ability of network defenders to successfully detect and respond to the attacks –Providing evidence to support increased investments in security personnel and technology Wikipedia INTRODUCTION 7
Testing Types –White Box Testing In penetration testing, white-box testing refers to a methodology where an ethical hacker has full knowledge of the system being attacked. The goal of a white-box penetration test is to simulate a malicious insider who has some knowledge and possibly basic credentials to the target system. –Black Box Testing In penetration testing, black-box testing refers to a methodology where an ethical hacker has no knowledge of the system being attacked. The goal of a black-box penetration test is to simulate an external hacking or cyber warfare attack. wikipedia INTRODUCTION 8
Methodology Introduction Mapping The PenTester’s Mind Tools Further Learning Questions 99
METHODOLOGY 10
Reconnaissance –Using non-intrusive methods to enumerate information about the network under test. DNS, Whois and Web searching are used. –Objective: To enumerate the target organization's “Internet Footprint”, which represents the sum of all active IP addresses and listening services and to identity potential vulnerabilities METHODOLOGY 11
Network Surveying & Vulnerability Scanning –This is the process of refining the target list produced during the passive reconnaissance phase by using more intrusive methods such as port scanning, service and OS fingerprinting, and vulnerability scanning. Nmap, Nexpose and other scanning tools are used. –Objective: To obtain visibility in the network; Determining which devices are targets and enumerating possible threats to the network. METHODOLOGY 12
Vulnerability Research & Verification –In this phase, a vulnerability scanner is run against the devices gathered in previous phases. –Objective: To take knowledge gathered in previous phases, check for known vulnerabilities and configuration error. –Objective: To obtain access to services and devices that are not available through configuration error and vulnerability exploitation. METHODOLOGY 13
Password Attacks –Services with authenticated logins are tested against a username and password list created in previous phases. –Objective: To verify password policies, best practices, and complexity requirements are in use and properly enforced. METHODOLOGY 14
Reporting and Analysis –In this phase, an analysis of the results found during the automated and manual aspects of the assessment. –Objective: To build a deliverable containing the greatest risks to the organization being testing. METHODOLOGY 15
Methodology Introduction Mapping The PenTester’s Mind Tools Further Learning Questions 16
TOOLS 17
Methodology Introduction Mapping The PenTester’s Mind Tools Further Learning Questions 18
Who should do the test? Mapping The PenTester’s Mind 19
20 Mapping The PenTester’s Mind Interview the vendor AND the Tester Experience Levels of the Tester –Free range –Enterprise class Know the data retention policy Create a relationship with your tester –they are your guide not only an employee or consultant
SOWs & SCOPE Mapping The PenTester’s Mind 21
The single most important thing to have when performing a penetration test is permission The second is a clear scope for your testing Then… –Identify any testing restrictions such as black outs or DoS attacks –Discuss real-time disclosures of immediate risks –Establish an emergency escalation process in the event the testing goes awry Before you begin… 22
Don’t assume that everyone is aware of your testing. Many times the proper staff is not notified of on- going testing until it is too late Be careful when impersonating real third party companies Verify IP typos during testing Get permission if you are going to poke a vulnerable box that is out of scope Watch out! 23
DISCOVER TARGETS Mapping The PenTester’s Mind 24
NMAP 25
Metasploit Scanning 26
Metasploit Scanning 27
VULNERABILITY ASSESSMENT Mapping The PenTester’s Mind 28
Nexpose Scanning 29
Nexpose Scanning 30
MAN IN THE MIDDLE Mapping The PenTester’s Mind 31
32 EXECUTE ARP POISON
EXPLOITATION 33 Mapping The PenTester’s Mind
Low Hanging Fruit Think outside the box Exploitation does not always require there to be a technical vulnerability Leverage the Human Factor Administrators want things to be easy to support 34 Mapping The PenTester’s Mind
MS
MS
37 Mapping The PenTester’s Mind
38 Mapping The PenTester’s Mind
CREDENTIAL AND HASH COLLECTION 39 Mapping The PenTester’s Mind
40 COLLECTING CREDENTIALS – HTTP/HTTPS
41 COLLECTING CREDENTIALS - SMB
42 Mapping The PenTester’s Mind
43 Mapping The PenTester’s Mind
44 Mapping The PenTester’s Mind
PASS-THE-HASH (NOT THAT KIND) 45 Mapping The PenTester’s Mind
46 Mapping The PenTester’s Mind
47 Mapping The PenTester’s Mind
48 Mapping The PenTester’s Mind
49 Mapping The PenTester’s Mind
50 PSEXEC WITH A LOCAL ACCOUNT HASH
51 PSEXEC WITH A LOCAL ACCOUNT HASH
52 CREATE LOCAL ADMINISTRATOR ACCOUNT
53 REMOTE DESKTOP VIA RAPID7 LOCAL ADMIN
LOCAL ADMIN… MEH, THAT’S NOT MY DOMAIN 54 Mapping The PenTester’s Mind
INCOGNITO 55 Mapping The PenTester’s Mind
56 Mapping The PenTester’s Mind
57 Mapping The PenTester’s Mind
58 Mapping The PenTester’s Mind
59 Mapping The PenTester’s Mind
60 Mapping The PenTester’s Mind
61 Mapping The PenTester’s Mind
62 Mapping The PenTester’s Mind
63 Mapping The PenTester’s Mind
64 Mapping The PenTester’s Mind
65 Mapping The PenTester’s Mind
66 Mapping The PenTester’s Mind
67 Mapping The PenTester’s Mind
PSEXEC 68 Mapping The PenTester’s Mind
69 PSEXEC WITH DOMAIN ADMIN ACCOUNT
70 SESSIONS CREATED WITH CREATED DOMAIN ADMIN
71 COMPLETE DOMAIN CONTROL
MY HARDWARE IS SAFE RIGHT?? 72 Mapping The PenTester’s Mind
73 NETWORK HARDWARE ACCESS – SSH SESSIONS
I trust ALL of my contractors… 74 LOCAL ACCESS
75 BOOT FROM USB
76 BOOT TO UNAUTHORIZED OS
77 MOUNT AND ACCESS LOCAL HARDDRIVE
78 REPLACE Sethc.exe
79 SYSTEM LEVEL CMD PROMPT ON LOGIN SCREEN
Methodology Introduction Tools Mapping The PenTester’s Mind Further Learning Questions
81 Further Learning security.com/metasploit-unleashed community.Rapid7.com SecurityBSides.com < WOOT WOOT!! Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni Local DC (DefCon) Groups & Meetings Local Hackerspaces
82 Mapping The PenTester’s Mind Taking a step by step approach makes the expansiveness of a network becomes very narrow and a single vulnerability can lead to a larger problem.
Methodology Introduction Tools Mapping The PenTester’s Mind Further Learning Questions 83
84 Questions? Kizz MyAnthia – Nick D. Senior Penetration Tester Website: