CS691 5 May 2003 Security Penetration Services Goal: help organizations secure their systems Skill set: equivalent to system administrators Record keeping & ethics Announced vs. Unannounced Penetration Testing Announced testing Unannounced testing Pros Pros Efficient Greater range of Team oriented testing Cons Cons Holes may be fixed as Response may block discovered & block further penetration further penetration Requires strict False sense of escalation process security Impact operations Rules of Engagement Type of attacks allowed (no DoS) Off-limits machines & files (passwords) Designated machines or networks Test Plan Contacts Penetration Testing Phases Footprint Scanning/Probing Enumeration Gain Access Escalate Privileges Exploit Cover Tracks Create Backdoors Footprinting Profile target passively Address blocks Internet IP addresses Administrators Techniques Googling Whois lookups Scanning/Probing: nmap Active probing NMAP Port scanner www.insecure.org Discovers: Available Hosts Ports (services) OS & version Firewalls Packet filters Scanning/Probing: nessus www.nessus.org Vulnerability scanning Common configuration errors Default configuration weaknesses Well-known vulnerabilities Enumeration: hackbot Identify accounts, files & resources Ws.obit.nl/hackbot Finds: CGI Services X connection check Gaining Access: packet captures Eavesdropping Ethereal, www.ethereal.com Physical Access Boot loader & BIOS vulnerabilities GRUB loader No password Allows hacker to boot into single- user w/root access Password crackers John the Ripper Crack Wireless Security War driving with directional antenna Wired Equivalent Privacy (WEP) vulnerabilities Penetration Tools: WEPcrack AirSnort Counter Measures 1 Update latest patches. Change default settings/options Setup password and protect your password file. Install anti-virus software and keep it updated. Counter Measures 2 Install only required softwares, open only required ports. Maintain a good backup. Set BIOS password, system loader password, or other passwords that necessary. Have a good emergency plan. Counter Measures 3 Monitor your system if possible. Have a good administrator. Future Improvements Correction of weaknesses uncovered by the penetration exercise Automate and customize the penetration test process Use of intrusion detection systems Use of honeypots and honeynets Demo: Retina Network Security Scanner Created by eEye Digital Security, Retina Network Security Scanner is recognized as the #1 rated network vulnerability assessment scanner by Network World magazine. Retina sets the standard in terms of speed, ease of use, reporting, non-intrusiveness and advanced vulnerability detection capabilities. Retina incorporates the most comprehensive and up- to-date vulnerabilities database -- automatically downloaded at the beginning of every Retina session. Bibliography Klevinsky, et. al. Hack I.T.-Security Through Penetration Testing. ISBN 0-201-71956-8. McClure, et. al. Hacking Exposed: Network Security Secrets and Solutions, 2nd edition, ISBN 0-07-222742-7. Sage, Scott & Lear, Lt. Col. Tom. A Penetration Analysis of UCCS Network Lab Machines, March, 2003. UCCS course CS691c. Warren Kruse, et. al. Computer Forensics. ISBN 0-201- 70719-5 Ed Skoudis, et. al. Counter Hack. ISBN 0-13-033273-9 Lance Spitzner, et. al. Honeypots. ISBN 0-321-10895-7 Retina network security scanner, http://www.eeye.com/html/Products/Retina/index.html