Download Penetration Testing & Countermeasures

Penetration Testing &
Countermeasures
Paul Fong & Cai Yu
CS691
5 May 2003
Security Penetration Services
 Goal: help
organizations
secure their
systems
 Skill set:
equivalent to
system
administrators
 Record keeping &
ethics
Announced vs. Unannounced
Penetration Testing
 Announced testing
 Pros
 Unannounced testing
 Pros
 Efficient
 Team oriented
 Greater range of
testing
 Cons
 Holes may be fixed as
discovered & block
further penetration
 False sense of
security
 Cons
 Response may block
further penetration
 Requires strict
escalation process
 Impact operations
Rules of Engagement
 Type of attacks
allowed (no DoS)
 Off-limits machines
& files (passwords)
 Designated
machines or
networks
 Test Plan
 Contacts
Penetration Testing Phases








Footprint
Scanning/Probing
Enumeration
Gain Access
Escalate Privileges
Exploit
Cover Tracks
Create Backdoors
Footprinting
 Profile target
passively
 Address blocks
 Internet IP
addresses
 Administrators
 Techniques
 Googling
 Whois lookups
Scanning/Probing: nmap
 Active probing
 NMAP
 Port scanner
 www.insecure.org
 Discovers:





Available Hosts
Ports (services)
OS & version
Firewalls
Packet filters
Scanning/Probing: nessus
 www.nessus.org
 Vulnerability
scanning
 Common
configuration errors
 Default
configuration
weaknesses
 Well-known
vulnerabilities
Enumeration: hackbot
 Identify accounts,
files & resources
 Ws.obit.nl/hackbot
 Finds:
 CGI
 Services
 X connection check
Gaining Access: packet captures
 Eavesdropping
 Ethereal,
www.ethereal.com
Physical Access
 Boot loader & BIOS
vulnerabilities
 GRUB loader
 No password
 Allows hacker to
boot into singleuser w/root access
 Password crackers
 John the Ripper
 Crack
Wireless Security
 War driving with
directional antenna
 Wired Equivalent
Privacy (WEP)
vulnerabilities
 Penetration Tools:
 WEPcrack
 AirSnort
Counter Measures 1
 Update latest patches.
 Change default settings/options
 Setup password and protect your
password file.
 Install anti-virus software and keep it
updated.
Counter Measures 2
 Install only required softwares, open
only required ports.
 Maintain a good backup.
 Set BIOS password, system loader
password, or other passwords that
necessary.
 Have a good emergency plan.
Counter Measures 3
 Monitor your system if possible.
 Have a good administrator.
Future Improvements
 Correction of weaknesses uncovered
by the penetration exercise
 Automate and customize the
penetration test process
 Use of intrusion detection systems
 Use of honeypots and honeynets
Demo: Retina Network Security
Scanner
 Created by eEye Digital Security, Retina Network
Security Scanner is recognized as the #1 rated
network vulnerability assessment scanner by Network
World magazine.
 Retina sets the standard in terms of speed, ease of
use, reporting, non-intrusiveness and advanced
vulnerability detection capabilities.
 Retina incorporates the most comprehensive and upto-date vulnerabilities database -- automatically
downloaded at the beginning of every Retina session.
Bibliography







Klevinsky, et. al. Hack I.T.-Security Through Penetration
Testing. ISBN 0-201-71956-8.
McClure, et. al. Hacking Exposed: Network Security
Secrets and Solutions, 2nd edition, ISBN 0-07-222742-7.
Sage, Scott & Lear, Lt. Col. Tom. “A Penetration Analysis of
UCCS Network Lab Machines,” March, 2003. UCCS course
CS691c.
Warren Kruse, et. al. Computer Forensics. ISBN 0-20170719-5
Ed Skoudis, et. al. Counter Hack. ISBN 0-13-033273-9
Lance Spitzner, et. al. Honeypots. ISBN 0-321-10895-7
Retina network security scanner,
http://www.eeye.com/html/Products/Retina/index.html