1. Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003

2. Security Penetration Services  Goal: help organizations secure their systems  Skill set: equivalent to system administrators  Record keeping & ethics

3. Announced vs. Unannounced Penetration Testing  Announced testing  Pros Efficient Team oriented  Cons Holes may be fixed as discovered & block further penetration False sense of security  Unannounced testing  Pros Greater range of testing  Cons Response may block further penetration Requires strict escalation process Impact operations

4. Rules of Engagement  Type of attacks allowed (no DoS)  Off-limits machines & files (passwords)  Designated machines or networks  Test Plan  Contacts

5. Penetration Testing Phases  Footprint  Scanning/Probing  Enumeration  Gain Access  Escalate Privileges  Exploit  Cover Tracks  Create Backdoors

6. Footprinting  Profile target passively Address blocks Internet IP addresses Administrators  Techniques Googling Whois lookups

7. Scanning/Probing: nmap  Active probing  NMAP Port scanner www.insecure.org  Discovers: Available Hosts Ports (services) OS & version Firewalls Packet filters

8. Scanning/Probing: nessus  www.nessus.org www.nessus.org  Vulnerability scanning Common configuration errors Default configuration weaknesses Well-known vulnerabilities

9. Enumeration: hackbot  Identify accounts, files & resources  Ws.obit.nl/hackbot  Finds: CGI Services X connection check

10. Gaining Access: packet captures  Eavesdropping  Ethereal, www.ethereal.com www.ethereal.com

11. Physical Access  Boot loader & BIOS vulnerabilities  GRUB loader No password Allows hacker to boot into single- user w/root access  Password crackers John the Ripper Crack

12. Wireless Security  War driving with directional antenna  Wired Equivalent Privacy (WEP) vulnerabilities  Penetration Tools: WEPcrack AirSnort

13. Counter Measures1  Update latest patches.  Change default settings/options  Setup password and protect your password file.  Install anti-virus software and keep it updated.

14. Counter Measures2  Install only required softwares, open only required ports.  Maintain a good backup.  Set BIOS password, system loader password, or other passwords that necessary.  Have a good emergency plan.

15. Counter Measures3  Monitor your system if possible.  Have a good administrator.

16. Future Improvements  Correction of weaknesses uncovered by the penetration exercise  Automate and customize the penetration test process  Use of intrusion detection systems  Use of honeypots and honeynets

17. Demo: Retina Network Security Scanner  Created by eEye Digital Security, Retina Network Security Scanner is recognized as the #1 rated network vulnerability assessment scanner by Network World magazine.  Retina sets the standard in terms of speed, ease of use, reporting, non-intrusiveness and advanced vulnerability detection capabilities.  Retina incorporates the most comprehensive and up- to-date vulnerabilities database -- automatically downloaded at the beginning of every Retina session.

18. Bibliography  Klevinsky, et. al. Hack I.T.-Security Through Penetration Testing. ISBN 0-201-71956-8.  McClure, et. al. Hacking Exposed: Network Security Secrets and Solutions, 2nd edition, ISBN 0-07-222742-7.  Sage, Scott & Lear, Lt. Col. Tom. “A Penetration Analysis of UCCS Network Lab Machines,” March, 2003. UCCS course CS691c.  Warren Kruse, et. al. Computer Forensics. ISBN 0-201- 70719-5  Ed Skoudis, et. al. Counter Hack. ISBN 0-13-033273-9  Lance Spitzner, et. al. Honeypots. ISBN 0-321-10895-7  Retina network security scanner, http://www.eeye.com/html/Products/Retina/index.html http://www.eeye.com/html/Products/Retina/index.html