- 560.1
- Day1: Planning, Scoping, and Recon
- instructor
- John Strand
- Black Hills Security
- Deadwood, S.D.
- involved with paul dot com
- cheatsheets
- netcat
- windows command line
- misc tools
- announcements
- lunch and learn signups
- 20 critical sec ctrls 6-7
- consensus audit guidelines
- add one more, throw away old redundant
- 7-8 IOScat
- also IOSmap
- 7-8 Intel protection
- 8-9 passive DNS
- notes
- get important data off the system
- hostile environment
- beware of free wireless at hotel: could be SANS
- tremendous amount of hands-on, all week
- against live targets
- pentest vs. vuln assessment
- approach to pentesting
- think outside the box
- ADD helps
- meticulous and organized
- explain how activities were accomplished
- pentester is a security architect who got tired of being told "prove it"
- terms
- be consistent
- r beijlich big on this
- important to be able to describe things consistently
- threat: crazy guy with gun
- vuln: you are not bulletproof
- risk: you are on same bus with crazy guy
- intersection of threat and vuln
- risk is exploitable
- ameliorate risk with layered defense
- attack: violate C, I, or A of the target
- active vs. passive attacks
- pentesting is not about the tools, hence not passive
- thinking through a problem is active
- inside vs. outside
- inside
- some access is given to network
- usually with credentials
- general user
- what % of attacks come from inside?
- most
- outside
- if too many rules, you may find nothing
- types of assessments
- ethical hacking
- write exploits
- hacking: manipulate technology to make it misbehave
- slide 12
- good to hire hackers, so they don't turn bad
- pentesting
- subset of ethical hacking
- use tools and techniques similar to those of criminals
- not writing exploits
- it does not make network more secure to prevent a new 0day
- unless company wants that (SCADA)
- goal: compromise systems and access the information
- security assessment
- find vuln, but do not exploit
- aka "vuln assessment"
- but this is less than a full pentest
- just run a scan
- run Core or Nessus
- print report
- cash check
- not necessarily gaining access to data
- may not take risk into account
- security audit
- "checklist monkey"
- meet certain guidelines
- implies that standards are rigorous
- miss many things
- systems not on thelist
- problems not on thelist
- Heartland was PCI compliant, still got hacked
- why pentest?
- audit standard says to
- very sad
- make a point to decisionmakers
- validate what security team already knows
- funds become available
- offer proof
- addressing discovered vulns
- not all will be addressed.
- at least fix high risk
- infosec is about managing risk
- accept risk instead of fixing
- present findings in business terms
rsnake-
- always wears a suit
- types of pentests
- many customers have no clue what they are looking for
- network services test
- remote
- local
- wardialing
- metasploit plugin
- warlock?
- scan for voice
- spoof caller ID
- to gain access to mailboxes
- identify what answers
- find voicemailboxes without passwords set
- web app
- wireless security
- Cisco LEAP
- WPA
- all can be hacked
- social engineering
- physical security audit
- no-tech hacking
- john guam?
- walk in with the smokers
- sliding doors: wiggle something on far side to open door by motion detection
- hole in sheetrock, bust windows
- SKIP on a base
- arrested by MPs to gain access
- stolen equipment
- make sure firewire is disabled!
- direct memory access
- dump contents of RAM
- at kiosk
- Hit f7 in IE to view source
- maybe right click f7, crtl f7, etc will also work
- opens up notepad
- attack phases
- recon
- scam
- exploit
- attaqckers go further
- maintain access
- cover tracks
- slide 22
- jump around, but keep track of where you are
- go back and do thorough analysts of previous steps
- limitations of pentests
- many limitations are not you, but of engagement
- scope
- certain IPs
- no social engineering
- no 3rd party IPs
- if scope too limited, cannot gain access, then tester's reputation is impaired when someone later breaks in
- time
- two weeks
- not like a determined attacker at all
- access
- put you on certain subnet, with a firewall
- ursnia: become a switch, become STP root
- methods
- no denial of service checks
- no crashing system
- but these are necessary; attackers will check for these
- btw, new window size 0 attack
- additional limitations
- skill of pentesters
- maybe bad at a certain OS
- unfamiliar with Java
- PHP
- AS400
- response may be to avoid testing these
- imagination of pentesters
- no known exploits
- know there is a vuln, but cannot exploit it
- not even time if you know how
- exceptions: big budget, focused scope
- slide 26
- other approaches to finding vulns
- these are less likely to crash target
- config review
- benchmarking tools are helpful
- MBSA
- CIS
- manual and automated
- architecture review
- network diagrams given you are seldom accurate
- why pentesting?
- rubber meets road
- attacker mindset
- avoids many limitations
- deeper than most audits
- strike a balance with customer
- document limitations
- find a way to accomplish goals anyway
- free testing methodologies
- OSSTMM
-
- things you should be covering
- cover all bases
- wireless, physical, etc.
- categorizes reports
- instructor's favorite
- includes info-gathering templates
-
- processes, roles, and sample tools
- incentive for mgt: "NIST suggests we do this"
- also see 800-53A
- OWASP testing guide
- that colorcoded risk matrix
-
- focus is on web app testing
- for instance, business logic testing: best stuff is here
- preauth: exposed to Internet before login
- 10% of app exposed before login, 90% after
- iceberg problem
- session management
- web services
- SOAP
- JMX backend for Jboss
- other jargon
- AJAX
- etc.
- pentesting framework
- Toggmeister
-
- Mindmap showing all the tools!!
- Also, find the _great_ sample report
- checklists, don't limit you
- same pentest might suffice for all, just different checkboxes
- Course DVD
- 504, 517, 560, 561
- therefore not all tools will be used in this class
- see slide 61 ff. for network setup
- get it working by tomorrow
- 10.10/16
- 10.10.75-76.x for class; x is per student
- host 10.10.76.x
- guest 10.10.75.x
- 10.10.10.10,20,50,60 are targets
- DNS is 10.10.10.60
- VM -> settings
- bridged mode
- for attacking targets in class
- the default
- host-only
- for "disconnect from network" labs
- VMNET1
- enable or disable in Windows as needed
- to switch over
- to switch
- disable vnmet1 on host
- set guest to bridged
- set guest IP to 10.10.76.x
- to host-only
- enable vmnet1
- set guest to host-only
- set guest IP to 10.10.75.x
- then ping from guest to host
- #xset b off
- turns off system beep
- report format
- exec summary
- get the business point across
- main thing that needs to be fixed
- actionable items
- overall risks
- 3-6 significant findings
- business impact of each
- levers that mgt can pull to change the root causes
- org struct
- policies
- technology
- if something is done right, mention it (security team is effective)
- execspeak
- books by Malcolm Gladwell
- intro
- date, time range
- who did the test
- methodology
- describe process
- mention NIST if Gov't, for instance
- list results at each stage
- findings
- system
- aggregate similar systems with similar problems
- risk level
- ease of exploit
- summary
- detailed tech
- recommendation
- what has failed?
- patches
- hardening
- filters
- architecture
- process
- resonates with execs
- people
- need more?
- short-term stopgap and long-term fix
- screenshots
- prove that compromise is real
- if cmdline, run "hostname"
- use big hideous yellow arrows
- recreate using video, talking to camera
- conclusion
- don't break new ground
- summarize
- appendices
- manpages for every tool
- user guides for other tools
- actual reports from tools
- current versions of tools vs. tools used
- building an infrastucture
- software toolbox
- underlying OS
- some tools need Windows, some need Linux
- have both ready
- virtualized for rapid switch
- backtrack
- v. 4 is now a distro, means it can be upgraded
- we have our own image for the class
- SANS 504 image
- hydra in backtrack is buggy
Morning break at slide 40- websites
-
- google for the above
- Chris Gates
- new tool called asagi (the spear of zeus)
- by dean debeer
-
- metasploit addin for spearphishing
-
- exploit tools
- tips and strategies
- videos
- a bit edgy sometimes
-
-
- vuln research sources
- US-CERT
- into major software vendors
-
- download the OSVDB
- database with search tool
-
- differet ones have different focuses
- commerical tools
- Nessus
- openvas a fork of nessus2 kernel
- slow like nessus2
- Core
- SPI dynamics webinspect
- IBM rational appscan
- Cenzic hailstorm
- web app vuln discovery
- instructor's favorite
- Immunity CANVAS pro
- not user-friendly
- scarier than Core Impact?
- DOn't just rely on the tools. They have blindspots
- inhouse tools
- XML fuzzing
- give back to the community: share your tools
-
- help in hardening your system
- scan own HD, then shut off AV
- encrypt your HD
- "encryption plus" stores cry keys in RAM
- cold boot attack
- try running STRINGS against memory
- your password in memory in Windows
-
- Windows EFS is not strong
- user's pwd protects it
- leaves copies of protected files in cleartext in unalloc space
- scrub test machines between tests
- if you can
- maybe put external HD in a safe deposit box to preserve results
- windows: cipher /w
- unix: shred
- hardware
- setiing up lab
- mimic the target in lab
- run similar tools, countermeasures
- see if attack or tools are going to work
- for instance, Cisco security agent might bluescreen the box
- save VMware images
- for quick setup
- prepared for various service packs
- cheap switch
- set up your attack system
- hook to Internet without firewall
- your own firewall may interfere
- called "hacking naked"
-
- ask for a box
- they set it up at a colo real quick, you ssh in
- geographical locations
- ISP interference differs
- guppy starline (or starmind?)
- josh moore
- vmware is ok
- run in bridged mode, not NAT mode
- exploits will fill NAT table and get dropped
- harden testing systems carefully
- network
- ISP may ask you "what the hell are you doing?"
- see "the IT crowd"
- set up a relationship so they let you through
- tell your ISP
- tell the customer's ISP
- Fyodor scanning entire Internet
- ISP finds out, are fans, tweaked his access to make it faster
- firewall concerns
- you should not have a firewall on your system
- your network would not be firewalled from Internet
- see slide 53
- seperate offline machine to keep track, do detailed analysis
- copy info to it using a USB token
- reporting from here too
- Overall pentesting process
- preparation
- NDA if applicable
- permission memo
- indemnification: customer realizes systems may crash, and there is no liability
- "get out of jail free" card
- errors and omissions insurance
- needed if you have a pentest company
- about $2MM
- costs $1500-3000 per yr
- contract
- who owns the results
- price
- limitation of liability
- after contract is signed
- make rules of engagement doc
- make project scope doc
- draft both (because they are interdependent)
- ask for comments and recurse
- rules of engagement doc
- how to test
- who to notify when things are found (point of contact)
- point of contact of pentester too
- daily debriefing
- plans
- what is next
- progress
- problems
- 30 minutes
- time of day for testing
- if off-hours, may sure they understamd they may get a phone call
- announced vs. unannounced tests
- unannounced also tests incident response
- if discovered and shunned, then a waste of time
- pivot and continue
- maybe if autoshun you have learned you can DoS them
- awesome to shut pentester down internally
- blackbox vs. crystalbox
- blackbox
- how realistic?
- assumes recon would be done in 2 weeks
- they are trying to limit what you can discover
- crystalbox
- preferred
- more cost effective
- attackers may have the info anyway
- dumpster diving
- insider info
- less chance of accidental damage
- problem: inaccurate info from customer
- viewing data on compromised systems
- HIPAA violation?
- customer data (banks)
- observed test
- creeps out many testers
- adds value to customer
- knowledge transfer
- developer watching may spot a vuln you are not aware of
- must be in rules of engagement
- project scope doc
- meet with customer
- ask customer what the goal is
- specific to environment
- book: "threat modeling" from microsoft press
- what does customer already know?
- avoid scope creep
- what to test
- always verify their ownership of the IP addresses
- should anything be explicitly avoided?
- if additional things discovered during test, ask before attacking them
- break for lunch
- third parties
- get permission
- if mistake, call and say honest mistake, found something
- for instance, Sourcefire email all goes to gmail
- problem with cloud computing
- can you see their pentest results?
- test environment
- not a reliable test
- never the same as prod
- nice for webserver testing because no need for safety
- hows to test?
- portscan allowed?
- ping sweep allowed?
- automated tools allowed?
- goal: only get shell?
- it's not just shell, it's the data
- physical?
- from where?
- Internet
- granted access to site
- sneak in to site
- wireless in to site
- VPN access to internal
- what kinds of threat?
- classic: exploit from outside, gain access
- attack surface question
- target vulns in client-side app
- IE can run anything
- have customer read spoofed email, or browse to wrong site?
- ei zero day
- tracks released zero days
- social engineering?
- can undermine users' trust in infosec
- instructor would refuse, if the target person can get fired
-
- calls hotel, requests test of fire systems
- get explicit written permission
- define info to obtain (explicit goal)
- establish pretexts in advance
- DoS?
- "dangerous" exploits
- known that they might cause a crash
- some vulns will crash systems anyway
- so every exploit is dangerous
- Cisco secure
- MS03-026
- was a stable vuln, did not crash system
- Blaster worm
- scoping exercise p. 109
- company side
- all of the company info should be given to testers in RFP
- third party-managed devices
- some firewalls
- third-party owned devices
- DNS servers
- reporting
- the report is the only evidence of your work
- if inhouse, artifacts lead to longevity
- CYA describing limitations
- test planning
- testing
- conclusion
- Legal issues
- crimes
- crimes facilitated by computer
- where computer is the target
-
- search on laws
- Cyber Sec act of 2002
- life for recklessly causing or attempting to cause death
- SCADA systems
- hospitals
- title 18 sec 1362: comm lines, stations, or systems
- injury or destruction of comm equip
- need not be physical
- degrading performance
- fines, up to 10 years
- slide 134
- title 18 sec 2519 et seq
- wiretap act?
- prohibit unauthorized interception
- allow service providers to monitor
- title 18 sec 2701
- stored information
- afternoon break
- title 18 sec 1029
- computer fraud and abuse act ??
- fraud in connection with access devices
- selling access to systems
- password
- credit card number
- 10k - 100k, 20 yrs
- title 18 sec 1030
- computer fraud and abuse act
- 1894, amended 1996 by natl info infra pro act
- interstate commerce
- focus on unauthorized access
- Canada
- criminal code: sec 184
- illegal to intercept wireless
- various exceptions
- sec 342
- unauth use of computer
- obtain service
- use service
- intercept
- with intent to commit an offense
- UK
- computer misuse act of 1990
- intent again
- intent to secure access
- that is unauthorized
- actor knows that is the case
- also other clauses
- modifying data
- impairing operation
- Germany
- Penal code section 202a, data espionage
- covers and specifically protected against unauth access
- 202c
- anti-hacking
- providing access to tools used for hacking
- writing tools
- posession
- 303a
- alteration of data
- Australia
- cybercrime act of 2001
- needs intent
- causes unauth access or modification of data
- Japan
- law number 128 or 1999
- pretending to be someone you are not
- evading access controls
- Singapore
- chapter 50a
- like UK again
- easy to prove intent there
- summary
- get counsel in advance
- have permission memo reviewed
- recon
- maintain inventory
- how were systems discovered?
- google
- zone xfer
- scan
- reverse lookup
- divulged by customer
- compromise of one hosts
- web site searches
- no sending packets to the system
- general recon using google
- look for
- company
- systems
- company officers
- methods
- googlehacking
- site sans.org -www.sans.org
- finds additional computer systems
- wayback machine
- fluffybunny
- used to deface websites
- left a picture of himself
- in prison now
- find the hack on SANS on wayback machine
- open job positions
- lists of target apps
- lists of security systems
- social networking
- linkedin
- execs love it
- send a linkedin request
- you've been exactly where I want to go
- would you like to mentor me
- facebook
- myspace
- searching for maps
- external lobby VoIP cable gives you LAN
- whois
maltego- free one on Backtrack
- find all websites
- find all mailservers
-
-
-
- whois -H (to hide legal info in response)
- RIRs
- where are the IPs?
- ASN
- DNS info
- ARIN
- @ example.com
- returns email addresses
- try @ gmail.com
-
- DNS
- zone xfers
- take our mailserver out of MX record
- not needed
- only servers to identify mailserver
- also take out mail.fhlbny.com?
- nslookup
- > ls -d example.com > text.txt
- does AXFR request
- > view text.txt
- > set norecurse
- look for websites they visit, compromise site and place malware to attack target
- dig
-
- paid for DNS tests
- tools
- BiLE
- bidirectional link extractor
- Sensepost
- bunch of perl scripts
- ./BiLE target resultsfile
- crawls target file, fetching links, then crawls them
- also searches google for links
- now you have more potential targets
- some might not be in scope
- slide 181
- bile-weigh
- tld-expand.pl
- tries other TLDs
- vet-IPrange.pl
- converts TLDs to IP address ranges
- qtrace.pl
- uses hping
- traceroute to all the IPs
- vet-mx.pl
- looks up the MX
- spiderfoot
- windows-centric
- kind of old
- much worse than bile
- foca
- goes to website, grabs all the docs
- email
- every email contains
- src IP
- could be the private IP
- now do reverse lookups for all /32s in the range
- server name
- is there a naming convention?
- guess others, do lookups
- maybe the version
- googlehacking
- site:www.example.com wireless
- link:zone-h.org
- related:
- intitle:index.of passwd
- intitle:index.of shadow
- if found, webserver is running as root
- windows * buffer overflow
- trumpet 2005..2009
- a numberic range
- OR
- in CAPS, is an operator
- google code
- not just open source code
- indexes and stores any code accidentally posted by a company
-
- site:whatever intitle:index.of bash_history
- nessus results
- automation
- sitedigger
- foundstone
- uses google api
- wikto
- windows
- spiders site, looking for vulnerable scripts
- uses google api
- gooscan
- linux
- from Johnny Long
- no google api
- scrapes results page
- which violates google's terms of use
- problems:
- capcha
- blackhole your IP
- use tor if google starts doing that
- privoxy
- to go through proxies
- goolag
- from CdC
- www.goolag.org
- gnucitizen's GHDB
- webbased
-
- query proxy tools
- aura
- evilapi
- robots.txt
- use as a honeypot
- Beef
- wade alcorn
- hooks browser
- end of day 1
