Penetration Testing

1
Penetration Testing Countermeasures

• Paul Fong Cai Yu
• CS691
• 5 May 2003

2
Security Penetration Services

• Goal help organizations secure their systems
• Skill set equivalent to system administrators
• Record keeping ethics

3
Announced vs. Unannounced Penetration Testing

• Announced testing
• Pros
• Efficient
• Team oriented
• Cons
• Holes may be fixed as discovered block further
  penetration
• False sense of security

• Unannounced testing
• Pros
• Greater range of testing
• Cons
• Response may block further penetration
• Requires strict escalation process
• Impact operations

4
Rules of Engagement

• Type of attacks allowed (no DoS)
• Off-limits machines files (passwords)
• Designated machines or networks
• Test Plan
• Contacts

5
Penetration Testing Phases

• Footprint
• Scanning/Probing
• Enumeration
• Gain Access
• Escalate Privileges
• Exploit
• Cover Tracks
• Create Backdoors

6
Footprinting

• Profile target passively
• Address blocks
• Internet IP addresses
• Administrators
• Techniques
• Googling
• Whois lookups

7
Scanning/Probing nmap

• Active probing
• NMAP
• Port scanner
• www.insecure.org
• Discovers
• Available Hosts
• Ports (services)
• OS version
• Firewalls
• Packet filters

8
Scanning/Probing nessus

• www.nessus.org
• Vulnerability scanning
• Common configuration errors
• Default configuration weaknesses
• Well-known vulnerabilities

9
Enumeration hackbot

• Identify accounts, files resources
• Ws.obit.nl/hackbot
• Finds
• CGI
• Services
• X connection check

10
Gaining Access packet captures

• Eavesdropping
• Ethereal, www.ethereal.com

11
Physical Access

• Boot loader BIOS vulnerabilities
• GRUB loader
• No password
• Allows hacker to boot into single-user w/root
  access
• Password crackers
• John the Ripper
• Crack

12
Wireless Security

• War driving with directional antenna
• Wired Equivalent Privacy (WEP) vulnerabilities
• Penetration Tools
• WEPcrack
• AirSnort

13
Counter Measures 1

• Update latest patches.
• Change default settings/options
• Setup password and protect your password file.
• Install anti-virus software and keep it updated.

14
Counter Measures 2

• Install only required softwares, open only
  required ports.
• Maintain a good backup.
• Set BIOS password, system loader password, or
  other passwords that necessary.
• Have a good emergency plan.

15
Counter Measures 3

• Monitor your system if possible.
• Have a good administrator.

16
Future Improvements

• Correction of weaknesses uncovered by the
  penetration exercise
• Automate and customize the penetration test
  process
• Use of intrusion detection systems
• Use of honeypots and honeynets

17
Demo Retina Network Security Scanner

• Created by eEye Digital Security, Retina Network
  Security Scanner is recognized as the 1 rated
  network vulnerability assessment scanner by
  Network World magazine.
• Retina sets the standard in terms of speed, ease
  of use, reporting, non-intrusiveness and advanced
  vulnerability detection capabilities.
• Retina incorporates the most comprehensive and
  up-to-date vulnerabilities database --
  automatically downloaded at the beginning of
  every Retina session.

18
Bibliography

• Klevinsky, et. al. Hack I.T.-Security Through
  Penetration Testing. ISBN 0-201-71956-8.
• McClure, et. al. Hacking Exposed Network
  Security Secrets and Solutions, 2nd edition, ISBN
  0-07-222742-7.
• Sage, Scott Lear, Lt. Col. Tom. A Penetration
  Analysis of UCCS Network Lab Machines, March,
  2003. UCCS course CS691c.
• Warren Kruse, et. al. Computer Forensics. ISBN
  0-201-70719-5
• Ed Skoudis, et. al. Counter Hack. ISBN
  0-13-033273-9
• Lance Spitzner, et. al. Honeypots. ISBN
  0-321-10895-7
• Retina network security scanner,
  http//www.eeye.com/html/Products/Retina/index.htm
  l