NetSec Lecture Notes - Lesson 4 - Penetration Testing

Penetration Testing

• First line of network defense

Overview

• Test to evaluate strengths of all security controls
  • Procedural
  • Operational
  • Technological
• Benefits
  • Security of network
  • Discovery of vulnerabilities
  • Demonstration of threats
• Scope
  • Can include social engineering, physical access (in addition to traditional cyber)
• Scale
  • Security of entire network

Methodology

• Footprinting
  • whois, nslookup
• Scanning
  • nmap, fping
• Enumeration
  • dumpACL, showmount legion, rpcinfo
• Gaining access
  • tcpdump, Lophtcrack NAT
• Excalating privilege
  • Johntheripper, getadmin
• Pilfering (exfiltration)
  • rhosts, user data, config files, registry
• Covering tracks
  • zap, rootkits
• Creating back doors (persistence)
  • cron, at, startup folder netcat, keystroke logger, remote desktop

Footprinting

• Reconnaissance and information gathering
• Find out target IP address/phone number range
• Namespace acquisition
• Network Topology (visualRoute)
• Essential to a “surgical” attack
• Techniques – Tools
  • Open Source search – Google, search engine, Edgar
  • Find domain name, admin, IP addresses, name servers – whois (network solution; arin)
  • DNS zone transfer – nslookup (ls -d), dig, Sam Spade

Scanning

• Which machine is upand what ports are open
• Which services are running
• Their versions and configurations
• Look up corresponding vulnerability info on the web
• Focus on most promising avenues of entry
• Reduce frequency of scanning and randomize the ports or IP addresses to be scanned in the sequence
• Techniques – Tools
  • Ping sweep – Fping, icmpenum, WS_Ping Propack, nmap
  • TCP/UDP port scan – nmap, superscan, fscan
  • OS detection – nmap, queso, siphon

Enumeration

• Identify valid user accounts or poorly protected resource shares
• More intrusive probing than scanning step
• Techniques – Tools
  • List user accounts – Null sessions, dumpACL, sid2usre, onSiteAdmin
  • List file shares – showmount, NAT, legion
  • Identify applications – banner grabbing with telnet or netcat, rpcinfo

Gaining Access

• Identify a vulnerability of the target from scanning
• Exploit it
  • often with existing tool/script. may need modifications
• In general, automatically generating a working exploit from a new vulnerability is still an open problem
• Techniques – tools
  • Password eavesdropping – tcpdump/ssldump, L0phtcrack, readsmb
  • File share brute forcing – NAT, legion
  • Password file grap – tftp, pweddump2
  • Buffer overflow – ttdb, bind, IIS, .HTR/ISM.DLL

Escalating Privilege

• If only user-level access was obtained in the last step, seek to gain complete control of the system
• Techniques – tools
  • Password cracking – John the ripper, L0phtcrack
  • Known Exploits – Lc_messages, getadmin, sechole

Pilfering (Exfiltration)

• Gather info to allow access of trusted systems
• Techniques – tools
  • Evaluate trusts – rhosts, LSA secrets
  • Search for cleartext passwords – User data, Configuration files, registry

Covering Tracks

• Once total ownership of the target is secured, hiding this fact from system administrators become paramount, lest they quickly end the romp
• Techniques – tools
  • Clear logs – Zap, Event Log GUI
  • Hide tools – Rootkits, file streaming

Creating Back Doors (Persistence)

• Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained wheneve the intruder decides
• Techniques – tools
  • Create rogue user accounts – Members of wheel, admin
  • Schedule batch jobs – cron, at
  • Infect startup files – rc, startup folder, registry keys
  • Plant remote control services – netcat, remote.exe, VNC, B02K, remote desktop
  • Install monitoring mechanisms – Keystroke loggers, add acct. to secadmin mail aliases
  • Replace apps with Trojans – Login, fpnwcint.dll

Penetration Testing Quiz

• Which events should trigger a penetration test?
  • Infrastructure is added or modified
  • Applications are added or modified
  • End user policies are changed
  • Security patches are installed

Persistence and Stealth

• To simulate an APT, the above attributes are needed
• Installation of backdoor or malware
  • A permanent foothold
• Insertion of proxies or man-in-the-middle systems, or simply “listening/recording”
• Capture credentials and identify valuable target
  • Impersonation and data thefts

Social Engineering

• Users are the weakest link in security
• Use “social engineering” attack techniques to evaluate user population
  • Identify vulnerable user groups
  • Identify policy gaps
  • Fix policies and mechanisms, including user education and training
• Why is social engineering effective?
  • Manipulates legitimate users into undermining their own security system
  • Abuses trusted relationships between employees
  • Very cheap for the attacker
  • Attacker does not need specialized equipment or skills

RSA Breach Quiz

• List the steps attackers used to access RSA’s Adobe Flash software:
  • Identify employees that are vulnerable
  • Craft an email subject line that entices an employee to open it
  • Hide an executable file in the email that will install onto the victim’s computer when the email is opened
• In 2011, RSA was compromised
  • Social engineering was used to penetrate the company’s defenses
  • Once in, the attackers installed a backdoor using an Adobe Flash vulnerability
  • Total damage estimated at $66million

Common Social Engineering Techniques

• Impersonation
  • Help Desk
    • The attack
      • An attacker pretends to be an employee
      • Recovers “forgotten” password
    • The exploit
      • Help desks often do not require adequate authentication
  • Third-party Authorization
    • The attack
      • Access to assets
      • Verification codes
    • The exploit
      • Claim that a third party has authorized the target to divulge sensitive information
      • More effective if the third party is out of town
  • Tech Support
    • The attack
      • Attacker pretends to be tech support for the company and obtains user credentials for troubleshooting purposes
    • The exploit
      • Users must be trained to guard credentials
  • Roaming the halls or Tailgating
    • The attack
      • Attacker dresses to blend in with the environment
    • The exploit
      • Looks for sensitive information that has been left unattended
        • Passwords written down
        • Important papers
        • Confidential conversations
  • Trusted Authority/Repairman Figure
    • The attack (repairman)
      • Attacker wears the appropriate uniform
      • Often allowed into sensitive environments
      • May plant surveillance equipment
      • Could find sensitive information
    • The exploit (repairman)
      • People rarely question someone in a uniform
    • The attack (trusted authority figure)
      • Attacker pretends to be someon in charge of a company or department
      • Similar to “third-party authorization” attack
      • Impersonation in-person or via telephone
      • Examples of authority figures – Medical personnel, Home inspector, School superintendent
    • The exploit (trusted authority figure)
      • Trust in perceived authority
  • Snail Mail
    • The attack
      • Attacker sends mail that asks for personal information
    • The exploit
      • People are more trusting of printed words than webpages
    • Examples
      • Fake sweepstakes
      • Free offers
      • Rewards programs
    • More effective on older generations
• Computer-based Techniques
  • Pop-up windows
    • The attack
      • Window prompts user for login credentials
      • Imitates the securen etwork login
    • The defense
      • Users can check for visual indicators to verify safety
  • Instant Messaging and IRC
    • The attack
      • Attacker uses IM or IRC to imitate technical support desk
      • Redirects users to malicious sites
      • Trojan horse downloads install surveillance programs
  • Email Attachments
    • Attacker tricks user into downloading malicious software
    • Programs can be hidden in downloads that appear legitimate
    • Examples:
      • Executable macros embedded in PDF files
      • Camouflaged extension: “NormalFile.doc” vs “NormalFile.doc.exe”
  • Email Scams
    • More prevalent over time
    • Begins by requesting basic information
    • Leads to financial scams
  • Chain Letters and Hoaxes
    • More of a nuisance than a threat
    • Spread using social engineering techniques
    • Productivity and resource cost
  • Websites
    • Offer prized but require a created login
    • Attacker capitalizes on users reusing login credentials
    • Website credentials can then be used for illegitimate access to assets

Impersonation Quiz

• Used to determine which users click on links in emails
  • Click logger
• A signed Java applet is sent to the user, if they accept it a shell is sent back to the exploit server
  • Reverse shell applet
• A flash is created that has a program that creats a connection to the exploit server
  • Flash or CD Autoplay
• An email contains an attachment. When the attachment is downloaded an connection is made to the exploit server
  • Download connection

Computer Attacks Quiz

• What are the top three industries that were targets of cyber attacks in 2016?
  • Defense contractor (11.1%)
  • Restaurant (16.7%)
  • Software (16.7%)

Countering Social Engineering Attacks

• Never disclose passwords
• Limit IT Information disclosed
• Limit information in auto-reply emails
• Escort guests in sensitive areas
• Question people you don’t know
• Talk to employees about security
• Centralize reporting of suspicious behavior

Motivator Quiz

• A desire to pursue a limited or exclusive item or service
  • Scarcity
• A desire to fit in and to be more easily influenced by someone you like
  • Liking
• A desire to act in a consistent manner
  • Commitment
• Looking to others for clues on how to behave
  • Social Proof