Beruflich Dokumente
Kultur Dokumente
Todays Presentation
Internet
Security Hacking
& Penetration Testing
Motivation
Hacking Explored
Why Hack?
Penetration Testing Motives
Hacking Outline
Internet
Footprinting
4
Internet Footprinting
Outline
Review
publicly available
information
Perform network
reconnaissance
Discover landscape
Determine vulnerable
services
5
Landscape discovery
telnet
ftp
netcat
nmap
Hacking
Windows
Scan
Enumerate
Penetrate
Escalate
Pillage
Get interactive
Expand influence
Scanning Windows
Enumerating
Windows
So, what is enumeration? Enumeration is a fancy term for
listing and identifying the specific services and resources that
are offered by a target.
SAM
Trusts
Escalating privileges in
Windows
getadmin
getad
getad2
pipeupadmin
Shatter
Yields
system-level privileges
Works against Windows Server 2003
11
Pillaging Windows
Clear logs
Some
Grab hashes
Remotely
with pwdump3
Backup SAM: c:\winnt\repair\sam._
Grab passwords
Sniff
SMB traffic
Crack passwords
L0phtcrack
John
the Ripper
12
13
Hacking
Unix/Linux
14
14
Discover landscape
Goals
Discover
available hosts
Find all running services
Methodology
ICMP
Tools
nmap
SuperScan
(Windows)
udp_scan (more reliable than nmap for udp
15
scanning)
Users
finger
SMTP
vrfy
DNS info
dig
RPC services
rpcinfo
NFS shares
showmount
Countermeasures
Turn
Attack remotely
3 primary methods
Trojans
Hostile web site
Buffer-overflow attack
17
backdoors
Sniff other traffic
Countermeasures
Clear
logs
Session hijacking
18
Penetration
Testing
19
Acronyms:
VA Vulnerability Assessment
PT Penetration Testing
DOS Denial of Service
DDOS Distributed Denial of Service
20
23
Evading Firewall
Rules
Reviewing Logs
and Generating
Final Report with
Remediation &
Workarounds
Remote Services
Password Cracking /
Brute Forcing
Escalation of
Privileges (Gaining
Remote Shell)
Denial of Service
Testing
Web-Based
Authentication
24
1. Information Gathering
This is the first step for any remote host Penetration
Testing. Here the pen-tester try to gather maximum information
on the remote host to precise the attack.
Expected Results:
25
26
2. Footprinting / Fingerprinting
In this step, information like WebServer and OS type running on
remote host are gathered to further precise the attack.
Expected Results:
27
28
29
30
IP Fragmentation
Tools For Remote Host Detection
Nmap
Xprobe
32
IP Fragmentation
ACL detection
0
4
4 bit
Version
8
4 bit
Header
Length
16
8-bit type of
service
16-bit identification
8-bit time to live
( TTL )
31
8-bit protocol
(TCP)
20
bytes
6-bit
Reserved
U A P R S
R C S S Y
G K H T N
F
I
N
16-bit W indow
We can divide the first packet of the TCP handshake into two
fragments. We would put enough TCP information in the first packet
that would be enough to verify the packet against the Firewalls Rule
base (this means the port numbers we are using are included in the
packet). We will not send the second part of the packet, forcing any
host that gets such a packet to send us back an ICMP Fragment
Reassembly Time Exceeded error message when the
33time for
reassembly exceeds.
(192.168.1.1)
The UDP or stealth FIN/NULL/XMAS scan took 4 seconds to scan 254 ports.
Interesting protocols on
(192.168.1.1):
(The 250 protocols scanned but not shown below are in state: closed)
Protocol
State
Name
open
icmp
open
igmp
open
tcp
17
open
udp
34
35
36
37
38
7.
Exploiting
Services
For
Known
This is the most important phase of penetration testing. Here the
weaknesses found Vulnerabilities
in the remote services are exploited using
openly available exploits or self developed or customized exploits.
Expected Results:
39
Here the
access to
restricted information. The Web-Based authentication is exploited
by using XSS (Cross-Site Scripting) or SQL injection or MITM
(Man-in-the-middle) attacks etc...
Expected Results:
40
INTERNET
DMZ
Back Office Network
41
A pie graph displaying the vulnerabilities in terms of percentage of high, low &
medium
Risk Matrix
Quantifying the vulnerabilities and showing the high, low & medium in a tabular
format
Giving a brief of the vulnerabilities found
Best practices
Suggesting best practices for the configurations for the device or services
Final Summary
Must contain a brief on the overall vulnerability factor found for the remote
42
device
Tools Of Trade
Q&A
44