1. 1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology

2. 2 Agenda Introduction to penetration testing Lab scenario Lab setup New Additions Conclusions

3. 3 Penetration Testing Actively assess network security measures Possibly reduce costs by uncovering vulnerabilities before suffering consequences. Black Box Vs White Box External Vs Internal

4. 4 Lab Scenario Mission: You have been hired by Acme & Burdell to attempt to break into their network. Acme & Burdell has allowed you to break into their network throughout dead week. However, the network admins at Acme & Burdell cannot agree on a single setup for their network. Thus they change their network setup every two days. If you want to break in, you’ll have do it within a couple of days. Are you ready?

5. 5

6. 6 Steps Involved Reconnaissance (Find the target IP address) Vulnerability Scanning Choosing a target and getting in Maintaining Access (Look for Backdoors) Cracking Passwords Alternate ways to get in

7. 7 Reconnaissance You are given the web address: www.acmeandburdell.com Find the IP address of the web address Use the tools from the course to find more about the A&B network

8. 8 Vulnerability Scanning Use your favorite network scanner(s) to scan the IP address range for potential holes Document the services running and look for suspicious ports

9. 9 Based on the results of scanning choose a vulnerable target Be sure to do a full port range scan on the target machine. “Nmap” only reports known services by default. Choose a attack to execute on the target The network scan may not give complete information about how you may attack. You may have to try different attacks learned in class before you succeed. Be creative and reference previous labs for hints! Choosing a Target and an Attack

10. 10 If you got in, you should assume that someone else may have done so before. What might they have left behind? Use what you know about the target OS to look for other ways of getting in. Your client needs to know! Maintaining Access (Look for Backdoors)

11. 11 Cracking Passwords If you broke into a Linux machine, get the password file and try to crack as many passwords as you can. If you broke into a windows machine, you will find a previous hacker has installed a password dump program called “pwdump2” in C:\Windows\System32\Pwdump2\  Use pwdump2 to dump the password to a file  Crack as many passwords as you can Get info about pwdump2 at:  http://www.securiteam.com/tools/5ZQ0G000FU.html http://www.securiteam.com/tools/5ZQ0G000FU.html Do the passwords give you more ways to gain access to the system?

12. 12 Alternate Ways of Getting in Each vulnerable machine is set up to allow multiple ways for getting in. You will get full credit (8 points) if you discover all of them and document your findings thoroughly. In addition to the normal means of getting extra credit, you will get extra credit if you discover ways of getting in which were not part of the lab setup, OR if you get in a machine you were not expected to, OR if your summary recommendations for the client include something we didn’t think of.

13. 13 Lab Setup Dynamic Setup changing every couple of days. You have to choose a slot of two days to complete the lab.  Slots are: Tue-Wed, Thurs-Fri, Sat-Sun, Mon-Tue Multiple vulnerabilities (At least 2) of varying difficulty

14. 14 Lab Setup Four Virtual Machines with different vulnerabilities. Only one will be running at any one time. The TA’s would choose a different virtual machine to run every couple of days Two Decoy machines acting as honeypots, would always run to make things interesting

15. 15 Lab Setup VM1:  OS: Red Hat 7.2  IMAP-d exploit enabled  Remote Vulnerable program running on a random port  LRK4 rootkit installed, but telnet closed  Two users, one with easy password  One of the passwords may be used to open a VNC session

16. 16 Lab Setup VM2:  OS: Redhat 7.2  ICMP Server exploit enabled  Remote Vulnerable program running on a random port  LRK4 rootkit installed, but telnet closed  Two users, one with easy password  One of the passwords may be used to open a VNC session

17. 17 Lab Setup VM3:  OS: Windows XP (No Security patch)  DCOM exploit enabled  Netcat backdoor running  “pwdump2” kept at a known place  VNC session that may be opened by cracking one of the passwords

18. 18 Lab Setup VM4: OS: Win XP with Security patch B02k (Running on default port 18006) Netcat backdoor running “pwdump2” kept at a known place VNC session that may be opened by cracking one of the passwords

19. 19 Lab Setup Decoy 1 (Always running):  OS: WinXP with DCOM Security patch  Back Officer Friendly (All traffic Simulated)  No user other than administrator (with difficult password)

20. 20 Lab Setup Decoy 2  OS: Red Hat 7.2  Http, ftp, telnet, ssh ports open  No users other than root with difficult password

21. 21 New Tools for Behind the Scenes DCOM Security Patch: From Microsoft’s website http://www.microsoft.com/technet/security/bulletin/MS0 3-026.mspx Pwdump2: Used to dump windows passwords from the registry. AutoIt: Simple scripting language used for the automation of simple windows tasks like opening or closing windows-based applications  To keep “netcat” running, the script checks for closing of netcat and restarts it Srvany.exe: Used to install the AutoIt script as a service so that it starts up every time WinXP starts

22. 22 Conclusions Challenges the students to try out different things, not just follow instructions Covers the breadth of the course Students get a flavor of the whole course by completing this challenging lab