Security Boot Camp Intro

1
Security Boot CampIntro

2
Why this course

• A few years ago a few friends that used to be
  part of a very successful attack and pen team
  wrote a course very similar to this
• They now have remembered a course very similar to
  the original so that everyone can share the
  experience and gain a better understanding of the
  subject matter

3
Who is that Fat Man?

• Mark holds the following certifications
• CISSP and CISM
• Checkpoint CCSA CCSE
• Cisco CCNA CSSP
• BA Computing MBA

• What did Mark Do
• The most popular 802.11 IDS
• Invent an IDS collation engine
• Discover several zero day vulnerabilities
• Coin the term WAP-GAP
• The London Hacker survey
• Contribute to the CEH Cert
• Expert witness a famous dirty tricks legal action
  
• etc etc etc
  
  

4
Outline

• Overview of the types of hacking tools and
  platforms used
• Sites used by hackers
• Building your white-hat hacker toolkit

5
Origination of tools

• Tools tend to be freely downloadable from the web
• Many tools shared via IRC
• Pirated commercial tools are also available
• Many available through peer to peer programs
• Tools tend to be developed for specific
  vulnerabilities

6
Types of tools

• Network and system scanning/mapping
• Vulnerability scanning and testing (Nessus,
  whisker)
• Password crackers (Brutus, LC3)
• Encryption tools
• Network sniffers
• War dialling

7
The Unix hacker toolkit

• Nmap Port Scanner
• Nessus Port scanner Vulnerability assessment
• Traceroute with the source route patch or LFT
• Hping2 Scanning and tracerouting tool
• Whisker Web vulnerability scanner (Nikto is
  also based on Whisker)
• Stunnel/SSLPROXY De-SSL HTTP/s
• Sniffit command line sniffer
• Netcat raw socket access

• Tcpdump command line sniffer
• Icmptime
• juggernaut
• NetSSLeay SSL module for PERL (for many
  tools)
• John the Ripper Password cracker
• Hunt/Sniper TCP/IP connection hijacking tool
• nimrod website enumerator
• Spike archives
• Ethereal sniffer
• dsniff

8
The Windows hacker toolkit

• Brutus Brute force utility
• Mingsweeper TCP/IP scanning tool
• Superscan TCP/IP scanning tool
• MPTraceroute/LFT
• SamSpade Footprinting tool
• NessusWX Nessus interface
• ISS Scanner / Cyber Cop
• Netstumbler Wireless LAN Scanner
• WinDump tcpdump for Windows

• Toneloc War dialling tool
• Finger Backdoor tool
• NetBios Auditing Tool (NAT)
• Netcat - Enumeration tool
• Legion Enumeration tool
• LC3 (l0phtcrack)

9
The Windows hacker toolkit cont.

• Cygwin Unix like environment for Windows
  (provides many UNIX command line tools including
  shell compiler)
• ToneLoc Wardialling tool
• NT resource kit many tools applicable to NT
  network enumeration and penetration
• NMAP (Win32 port) -- available from insecure.org

10
Denial Of Service tools

• From the spike package
• Land and Latierra
• Smurf Fraggle
• Synk4
• Teardrop, newtear, bonk, syndrop
• Zombies

11
Network Sniffers

• tcpdump
• Sniffit
• dsniff
• Observer
• Sniffer Pro
• Ethereal
• Snoop

12
Underlying requirements

• Certain tools, have pre-requisites before
  installation
• Perl
• SSLeay
• Open SSL
• Linux Variations
• Example Whisker requires Perl to be installed

13
Websites

• Websites where tools can be found
• www.securityfocus.com
• www.packetstormsecurity.org
• www.astalavista.box.sk
• www.securiteam.com

14
Lab

• Visit the sites used for the hacker toolkit and
  familiarise yourself with some of the tools
  available
• Good searches
• Denial of service
• Backdoor / netbus / backoriface
• http//www.securityfocus.com/ vulnerability
  section
• Time 30 minutes

15
-- Knoppix 3.7

• Bootable CD
• Boots in most Intel/AMD systems
• Linux 2.x with basic security tools
• Also see Trustix, Trinux and Packetmaster on
  sourceforge

16
Lab

• Boot Linux (trinux Knoppix or Packetmasters) and
  have a play
• Time 35 minutes

17
A methodology
18
A network penetration methodology
Test Objective To identify insecure protocols or
insecure settings of services related to
available protocols or services
19
Research PhaseObjective and Strategy

• Objective Find out technical information about
  the target site
• Using external information sources
• Not touching the target servers
• Strategy Review information available from
• DNS
• RIPE
• Netcraft
• News groups (particularly firewall newsgroups)

20
Identifying router and firewall

• Identify the Web or Mail server
• Get the Next-Hop before this
• This will probably be the perimeter router or the
  firewall
• PIX does not appear as a hop (Fw1 NetScreen do)
• 80 chance it will be NetScreen, PIX or Firewall
  1
• To figure out which
• ICMP ( i.e. Address Mask Request)
• Use TCP Stack finger printing
• Key ports (258, 259 263 could be firewall 1)
• IPSEC
• Exploit vulnerabilities with pre-written tools

21
Hacking the servers

• Scan TCP ports
• Scan UDP ports
• !!! Only HTTP or HTTPS ports should be visible
• If it is a webserver etc
• Run CGI scanner (I.e. Whisker, Crazymad or Nikto)
  to look for web server exploits
• Check Scanner
• Identify exploits

22
Security Boot CampIntro