Security Analysis 1. Need for Security Analysis * Confidentiality - Data classification - Encryption - Equipment disposal * Integrity - Checksum - Access Control * Authentication * Authorization * Availability * Non-repudiation ` - Digital-signatures - Confirmation services ! Prone to phishing / MITM ! Fake digital signature : Stolen private key * Security Analysis * Popularity Security Threats ! Data loss ! Theft ! Fraud/Forgery ! Unauthorized information access ! Interception/Modification of Data * New exploit are being discovered as frequently as every 4 hours * Data breach risk calculator tool http://www.ibmcostofdatabreach.com/ * Threat : Intentional / Accidental Type : Physical damage, natural events, loos of essential services(electrical power/AC), Compromise of information (eavesdropping), technical failures(equipment, capacity), compromise of functions (error in use, denial of actions) Origin : Deliberate, Accidental, Environmental, Negligence Human : Deliberate (Disgruntled employee), Accidental(lack of knowledge) * Risk : potential of losing something of value * Threat : Function of enemy capability to attack Threat = (Capability) X (Intent) * Risk : Function of the probability that you will be involved in a attack Risk = (Probability) X (Harm) Risk (to an asset) = Threat x Vulnerability x impact / Consequence * Asset * Calculating Risk = Theat, Vulnerability, Risk * Risk Assessment * Information security awareness * Security policies : a document / set of documents that describes the security controls that will be implemented by the company * Promiscuous Policy : No restrictions on Internet / Remote Access * Permissive Policy : Known dangerous services/attacks blocked, policy begins wide open, known holes plugged/known dangers stopped * Prudent Policy : Provides MAX security while allowing known, but necessary, dangers, All sevices are blocked; nothing is allowed, everything is logged * Paranoid Policy : Everthing is forbidden, No Internet connection * Acceptable use policy * Data Classification Policy : High risk, confidential, public * Intrusion Detection Policy * Virus Prevention POlicy * Other Policies * FACTA & ISO - Class Details - FACTA/Fair & Accurate Credit Transactions Act of 2003 - FACTA continued - FCRA act - ISO 17799 - ISO - Domains of ISO 17799 - FACTA : amendment to FCRA that was added, primarily, to protect consumers from identity theft - The Act stipulates requirements for information privacy, accuracy and disposal and limits the ways consumer information can be shared - FACTA is a US Federal Law - Passwd by IS Congress on November 22, 2003 - Allows consumers to request and obtain free credit report once every twelve months - FACTA cagegories a. Data classification b. Preventiaon, as well as detection c. Consumer request policies d. Consumer notification e. Employment policies and procedures f. Data destruction policies * ISO 17799 a set of recommendations organized into 10 major sections covering all facets of information sytems policies and procedures. Many organizations and consulting firms use ISO 17799 as the baseline for policy best practices - Security policy Input into security management from top down - Organizational security Focuses internal and external management - Asset Classification and control Focuses on organizations, prioritizing, and classifying information based on sensitivity - Personnel security - Physical and enviromental security - Communications and operations management - Access control - System development and maintenance - Business continuity management - Compliance Covers law and legislation from a state, local and federal standpoint * US Legislation - California SB 1386 Bill passed by California Legislature - Sarbanes-Oxley 2002 - U.S Congress o protect shareholders and the general public form accounting errors and fraudulent practices in the enterprise - Introduced due to Enron Case - Big Six accounting firms had on larger corporation - Gramm-Leach-Bliley Act(GLBA) - Ease to transfer of financial information between institutions and banks - Protecting consumers personal financial information - Health Insurance Portability and Accountability Act (HIPPA) - Administrative safeguards to protect the integrity, availability, and confidentiality of health information - Family Educational Rights and Privacy Act (FERPA) - Protect privacy of student education records - Payment Card Industry Data Security Standard (PCI DSS) - is a set of guidelines, measures and controls that were established to assist merchants - Implements strong security precautions to ensure safe credit card usage and secure information storage - USA Patriot Act 2001 - Wiretap orders now can ben obtained - ISP may volunteer information - Mailbox information can be obtained by subpoena rather than wiretap order 2. TCP IP Packet Analysis * TCP Protocol - Defined by IETF in RFC 793 - Connection-oriented - Manages flow control (sliding windows) - Windowing is a flow control mechanism - Simplex / Half-duplex / Full-duplex - Sequencing numbers and ack (reliable) * TCP/IP Layers Application layer Transport layer -> Protocols | Tools Internet layer (IP, ICMP, IGMP) network access layer (PPP, Ethernet, Interface drivers) * TCP Flags - ACK(A) to ack the receipt of data from sender. "piggybacked" with other flags - SYN(S) Session establishment request, first part of any TCP connection - FIN(F) The sender's intention to gracefully terminate the sendig host's connection to the receiving host - RESET(R) The sender's intention to immediately abort the existing connection with the receiving host - PUSH(P) Immediately "pushes" data from the sending host to the receiving host's application software - URGENT(U) Urgent data - Placeholder IF a connection does not have a SYN, FIN, RESET, / PUSH flag set, a placeholder(a period) will be found after destination port - TCP port 6 and UDP port 17 * UDP : TFTP, SNMP, DHCP (67,68), DNS. RFC 1350 NMS: network management station * Port number = 16 bit * IPV4 Header : 32 bit stores IP header length information Type of service(TOS):This provide network service parameters Datagram size: Contains combined data & header length Flags: this router fragment activity is controlled by three flags Fragmentation offset: This is a fragment identification via offset value TTL:Total number of routers allowing packet pass-through * IPv6 Security issues - Dual-stack related issues, Header manipulation(IPSec, flooding(Scanning IPv6) * Security Flaws in IPv6 - Trespassing : easy for an attacker to get information - Bypassing filtering devices : chances of attackers hiding traffic - DOS : DOS attack using same links - Anycast : Routing header 0 feauture of IPv6 can single out all instances of anycast service - IPv6 puts IPv4 at risk : * Security Vulnerable : * Routing Header Type 0 (RH0) - IPv6 uses a minimalist standar packet header - Potential DOS * IPv6 Neighbor Discovery (ND) - Attackers who gain access to a target's LAN and lauch Rogue Router Advertisements (RAs) - Lauch DOS * IPSec 1 - IETF - Secure transmission - Protect and authenticates IP packet - Data confidentiality - Data integrity - Data origin authentication - Anti replay - Consist of header and payload - Data di enkripsi - 2 Modes of operation 1. Transport Mode - Source & Dest hosts must directly perform all cryptographic operations - Data sent thru single tunnel - Establishes end-to-end security 2. Tunnel Mode - Special gateways perform cryptographic processing - Many Tunnels to establish gateway-to-gateway security - Data packet encodings (DPE) - AH & ESP - Packet Filtering - IPv6 firewalling - SYN flooding = DOS - TCP/IP Control Messages : Network congestion, - ICMP redirect Type = 5 ICMP Time Exceeded Type = 11 ICMP Parameter problem Type = 12 * ICMP CODE Type Code Desc Query/Error 0 0 Echo reply (PING) Query 3 1 Host unreachable Error 3 3 Port unreachable(TRACEROUTE)Query 8 0 Echo request(PING) Query 11 0 Time to live equalls 0 during Error transit(TRACEROUTE) 12 0 Bad IP header Error 13 0 Timestamp request Query 14 0 Timestamp reply Query * ICMP Messages - Error-reporting message Type Message 3 Destination unreachable 4 Source quench 11 Time exceeded 12 Parameter problem 5 Redirection - Query messages 8 or 0 Echo request to reply 13 or 14 Timestamp request or reply 17 or 18 Address mask request or reply 10 or 9 Router solicitation or advertisement 3. Penetration Testing Methodologies * Need for Pen-Testing : To provide a better return on IT Security Investment (ROSI) by identifying and resolving vulnerabilities and weeknesses * Pentest Techniques : - Passive research : to gather information - Open source monitoring : facilitates an org to take necessary steps to ensure its confidentiality and integrity - Network mapping and OS fingerprinting - Spoofing : using one machine to pretend to be another - Network sniffing - Trojan attacks - a brute force attack - vulnerabiltiy scanning * App Security Assessment - To identify and access threats to the organization through bespoke, proprietary applications / systems - This test check on application so that a malicious user cannot access, modify / destroy data / services within the system a. Source code review b. Authorizaion testing c. Functionality testing d. Web penetration testing * Network Security Assessment * Wireless / Remote Access Assessment * Telephony Security Assessment * Social Engineering / People hacking * Skill sets for pen-testing - Windows, Unix, Linux - C,C++,C#,Java,PHP,Perl,Python - Networking tols (Nessus,nmap,burp) - Computer hardware and software - Web-based applications - Security frameworks (ISO 27001/27002,NIST,HIPPA,SOX) - Security tools (Fortify, AppScan) - Vulnerability analysis and reverse engineering - Metasploit framework - Forensic tools - Cryptography principles - Methodology : OSSTMM, CHECK, OWASP * Pen-testing methodology a. Network Security - Network Surveying - Port Scanning - System identification - Services Identification - Vulnerabiltiy research & verification - Application testing & code review - Router testing - Firewall testing - IDS testing - Trusted system testing - password cracking - DOS testing - Containment measures testing b. Information Security - Document grinding - Competitive intelligence scouting - Privacy Review c. Social Engineering - Request Testing - Guided Suggestion Testing - Trust testing d. Wireless Security - Wireless networks testing - Cordless Communications testing - Privacy Review - Infrared systems testing e. Communications Security - PBX Testing - VOicemail testing - FAX review - Modem testing f. Physical Security - Access controls testing - Perimeter review - Monitoring review - Alarm response testing - Location review - Environment review * Pen Test Methodologies List - IBM - ISS - Found Stone - Ec-council's LPT * Open source and public - OSSTIMM - CISSP and CISA and CHECK - OWASP * Pen-Testing Roadmap - Start - Information gathering - Vulnerability Analysis - External Pen-Testing - Internal Pen-Testing - Rouer and swithes pen-testing - Firewall pen-testing - IDS pen-testing - Wireless network pen-testing - DOS pen-testing - Password cracking pen-testing - social engineering pen-testing - Stolen laptop,pdas and cell phones - Application pen-testing - Physical security pen-testing - Database pen-testing - VOP pen-testing - VPN pen-testing - War Dialing - Virus & Trojan Detection - Log Management Pen-testing - File Integrity checking - Blue Tooth & Hand held device pen-testing - Telco & broadband communication - Email security - Security patches - Data leakage * ROI on Penetration Testing - ROI : traditional financial measure based on historic data - ROI metrics include : - Payback period: The amount of time required for the benefits to pay back the cost of the project - Net present value (NPV): The value of future benefits reported in terms of today's money - Internal rate of return(IRR): The benefits reported as an interest rate 4. Customer and Legal Agreements * Types of Pen- Testing * Black Box Pen-Testing - No prior knowledge of infrasctructure to be tested - You will be given just a company name - Penetration test must be carried out after extensive information gathering and research - Time Consuming and expensive type of test * White Box - You will be given company infrasctructure - Network type - Current security implementations - IP address / firewall / IDS details - Company polies do's and don'ts * Gray Box - The tester has limited knowledge of information * Legal Consequences * Get out of jail free card - For software review / decompiling, make sure that the copyright to the software permits(or does not prohibit) the reverse engineering or code review - Get out of jail free card : a legal agreement signed by an authorized representative of the organization - The agreement outlines the types of activities to be performed and indemnifying the tester against any loss / damage that may result from the testing - Example: www.counterhack.net * Confientiality and NDA Agreements * NDA (Non-Disclosure and Secrecy Agreements) - Protect an organizations confidential information during business dealings with customers, suppliers, employees * Liability issues Civil wrong(tort) : kesalahan, kerugian 5. Rules of Engagement * Rules of Engagement - Formal permissions to conduct a pen test - Provide certain rights and restrictions to the best team - Help testers to overcome legal, federal, and policy-related restrictions - Defines how that testing is to occur - It's formal permission to conduct pen test before starting - The rules of engagement template(ROE) will help you organize and prepare the penetration testing methodology * ROE key Elements - Introduction a. Purpose b. Scope c. Assmptions and Limitations d. Risks e. Document structure - Logistics a. Personnel b. Test schedule c. Test site d. Test equipment - Communications Strategy a. General communication b. Incident HAndling and response - Target System / Network - Testing Execution a. Nontechnical test components b. Technical test components c. Data Handling - Reporting a. - Signature Page * Clauses in ROE - List of allowed and prohibited activities - Explicitly prohibit some activities that might cause risk to the system - ROE protect the penetration testing team - Test scope, limitations and other activities for protecting the test team - Authorization of penetration testers for systems and network testing - Details about the level and reach of of the penetration test - Definition of different types of allowed testing techiques - ROE Activities : a. Port and service identification b. Vulnerability scanning c. Security cofiguration review d. Password cracking - ROE Information a. Data is treated throughout and after the test b. How data should be transmitted during and after the test c. Techniques for data exclusion from systems upon termination of the test d. Clear guidance on incident handling 6. Penetration Testing Planning and Scheduling * IEEE Standars * IEEE STD. 829-1998 SECTION a. Test plan identifier - A unique label so you can refer to that document b. Introduction - Outlines what is to be tested - The top level test plan should point to related documents - Lower-level plans should point to their parents c. Test items - What is to be tested - Be explicit about version - How to get the test items into the test environment - Point to whatever documentation of the test items d. Features to be tested e. Features not to be tested f. Approach g. Item pass/fail criteria h. Suspension criteria and resumption requirements i. Test deliverables j. Testing tasks k. Test enviromental needs l. Responsibilities m. Staff and training needs n. Schedule o. Risk and contingencies p. Approvals * Tiger team - CPO (Chief penetration tester) - DBA and App Expert - Networking expert - Ethical hacker - Data analyst - Project manager - Report and documentation writer * Pen test project scheduling tools a. Easy schedule maker : patrena.com b. Fast track schedule : aecsoft.com c. GigaPlan.net : gigaplan.com d. ManagePro : performancesolutiontech.com e. Microsoft Project : f. Niku : niku.com g. OpenAir : openair.com h. Planview : planview.com 7. Pre Penetration Testing Steps * NDA : an agreement that contains confidential information * Port scanner = nmap , firewalk, superscan Vul scanner = NEssus, SAINTexploit, metasploit,x-scan App scanner = appscan, webinsect Firewall tools = firestarter, fwlogwatch sniffer = wireshark, kismet Fingerprint = queso, siphon-v.666, winfingerprint Hijacking = pasvagg.pl, sw-mitm HTML tools = websnake IDS = AIDE, hostsentry, logcheck, portsentry, snort, swatch, tripwire Misc = copernic, genius, ucd-snmp Netbios = enum, nbnbs, netbios auditing tool Network management = analyzer, cheops, ciscoconf,ip-watcher, ipaudit, iplog, netsaint, sting NT-specific = eldump, netview, wsses Password = chklock, makepwl, zippassword Packet = isic, nemesis, neotrace,sendip Phone = THC-PBX, toneloc Ping = icmp query, sping, netping, visual route Prosmicuous mode = commview, sentinel Steganography = blindside, gifshuffle, hide4pgp, jphide, jpseek, steganoGifPaletteOrder, steganos,stego,wbstego 8. Information Gathering * http://builtwith.com/ : Find out what websites are Built With * intellious and EDGAR database * Mirror the pages - HTTrack Website copier offline browser - Webcrawl - cURL and Libcurl - W2Mir - Web copier - Folder Synchronization tools - File dog - Blackwidow * Mirror the FTP Site - FTPCopy - FTP Mirror Manager - GetRight - FTP Mirror Tracker - Auto FTP Manager * WHOIS Database - WHOIS - Sam spade - Net scan tools - Whois.net - WhereisIP - LOKBOX - Active Whois * Phonedirectorysearch.com Email spider Google search = "company name + partners + project + press release" Trade association directory * Link populairty = alexa.com, marketleap.com/publinkpop/default.htm * Price of product / service : shopbot, bizrate, yahoo shopping, pronto * Geographical Location : MapQuest, http://openlayers.org, openstreetmap,mapquest,mapbox, wikimapia map, waze map * www.archieve.org / waybackmachine * Job Posting : indeed, simply hired, glassdoor, careerbuilder, monster, flexjobs, dice * webinvestigator.org * intelius.com : background check on company * domainresearchtool * EDgar database * finance.google.com * experian.com -> business reports * 411.com , thephonebook.bt.com * dnsstuff * ghdp.php OR xploit-db.com/google-hacking-database 9. Vulnerability Analysis * Vulnerability Assessment : the process of identifying, quantifying, and prioritizing/ranking the vulnerabilities in a system * Vulnerability Classification : - Misconfigurations - Default installations - Buffer overflows - Unpached servers - Default passwords - Open services - Application flaws * Types of Vulnerability Assessment a. Active Assessment : scans the network using any network scanner to find hosts, services, and vulnerabilities b. Passive Assessment : Technique that sniff the network traffic to find out active systems, network services, applications, and vul present c. Internal Assessment : Technique that scan the internal infrastructure to find out the exploits and vulnerabilities d. Host-based Assessment : sort of security check that carries out a configuration level test through command line e. External Assessment : f. Application Assessment : tests the web server infrastructure for any mis-configuration, outdated content, and known vulnerabilites g. Wireless Network Assessments : determine and track all the wireless network prevalent to the client's side h. Network Assessments : * Timeline : Gantt project * Types of Vul Assessment Tools a. Host Based VA Tools : OS running, common app and services b. Application Layer VA Tools c. Scope Assessment Tools : d. Depth Assessment Tools : These tools find and identifies previously unknown vulnerabilities in a system / fuzzers e. Active/Passive Tools : Active scan consumes resources on the network. Passive scan : only observer system data and performs data processing f. Location/data examined Tools : - Network based scanner - Agent-based scanner - Proxy scanner - Cluster scanner * TOOLS : + Nessus - Misconfiguration : open mail relay, missing patches - Default Passwords. Hydra to launch a dictionary attack - DOS against the TCP/IP stack by using malformed packets - Preparation for PCI DSS audits + QualysGuard - Cycorp Cycsecure + eEye Retina Network - Foundstone Professional Scanner + GFI LANguard Network security scanner - ISS Internet Scanner - SAINT Vulnerability Scanner - Symantec NetRecon Scanner + Shadow secrity scanner - Micsofot Baseline Security Analyzer(MBSA) - SPIKE Proxy - NMAP - Winfingerprint - Security Auditor's Research Assistant (SARA) - Tiger analytical research assistant (TARA) - CIS Benchmarks/security tools * Security Vulnerability report and summary report * Standard report / Differential report * Automated scanning server reports 10.External Penetration Testing * Pen Tester -> Internet [DMZ:router,firewall,webserver,appserver,mailserver] -> [Internalserver:databaseserver,fileserver,dirserver] * - List open / closed ports - Port scan every port (65536) - Use SYN scan - Use connect scan - Use XMAS scan - Use FIN scan - Use NULL scan - Firewalk on the router's gateway - Check ICMP (type 3, port unreachable) - Check ICMP (type 8, echo request) - Check ICMP (type 13, timestamp request) - Check ICMP (type 15, information request) - Check ICMP (type 17, subnet address request) - Test SNMP(port 161), LDAP(389), NetBIOS(135-139,445), SQL server(1433,1434), Citrix(1495), Oracle(1521),NFS(2049),RDP(3398), SIP(5060),VNC(5900/5800),X11(6000),kerberos-AD(TCP/UDP 88) * Tools : NeoTrace, IP Address 2 Country, IP Prober * TCP/UDP trace tools : IGI, pathChirp,Pathload,Pathrate,Tulip,tcptrace,netperf,scriptroute * Examine the use IPv6 : 46Bouncer * Find IP block : SAM SPADE, ARiN DATABASE * List Open Ports : Superscan, nmap,netscantoolspro * List Closed Ports : #nmap --script=firewalk --traceroute 192.168.1.2 - cerberus internet scanner - cypercob scanner : nai.com - firealk : packetfactory.net - hackershield : bindview.com - hostscan : savant-software.com - internet scaner : iss.net - nessus : nessus.org - netscan : nwpsw.com - nmap : insecure.org - nmapNT : eeye.com - SAINT/SATAN : wwwdsi.com - SARA : www-arc.com - Strobe : freebsd.org - Superscan/fscan : foundstone.com * List port that are Half Open/Close : stealth ports - stealth port will not generate * SYN scan = Half open scan * XMAS scan = Only works OS system's TCP/IP RFC 793 - Ga bisa ke Misrosoft windows / show all ports on the host as being closed * FIN scan = RFC 793 , Ga bisa ke Misrosoft windows / show all ports on the host as being closed * NULL scan = RFC 793 , Ga bisa ke Misrosoft windows / show all ports on the host as being closed * -f = use fragmentation scanning and examine the response * Examine IP ID Sequence Number Prediction : #hping2 -c 10 -i 1 -p 80 -S beta.search.zzz.com * Netcraft / Uptime * Reverse engineer the binary code : - IDA Pro - JAva Engineer - FlashSaver - REC Decompiler * Examine the Session Variables : Session hijacking, grabbing URL * Examine Cookies - Cookies offer a way to check the identity of the user by means of stroing the CFID and CFTOKEN in client side cookies and using that information to uniquely identify the user * Brute Force URL Injections and session tokens * Attempt URL encodings on the web pages * Try Buffer Overflow Attempts in Input Fields - NTOMAX : foundstone.com - Hailstorm : cenzic.com * Attempt Escape Character Injection : Ex : $$ - APS : stratum8.com - G-Server : gilian.com - iBroker Secure Web : elitesecureweb.com - URLScan : microsoft.com * Try Cross Site Scripting (XSS) * Record and replay the traffic to the target webb server and note the response - CruiseControl - Webload : radview.com - e-Test Suite : empirix.com * Try Sql Injection : - ' or 1 - 1 /* - " or 1 = 1 -- - or 1 = 1 -- - ' or 'a'='a' - "or"a"="a - ')or('a'='a * Examine Hidden Fields * Examine Server Side Includes (SSI) - SSI : plaeholders in an HTML, web server will dynamically replace with data just before sending the response back to browser <HTML><BODY> <P>SSI bro</P> <!--#Include file = "copywrite.Inc"--> </HTML></BODY> <!---#exec cmd="/bin/cat/etc/passwd" ---> - Enable suexec utility - SSI-enabled files should have extension other than .html / .htm * Examine Welcome messages, error messages, and debug messages * Probe the service by SMTP Mail Bouncing - SMTP mail bouncing indicates that the user does not exist on that server - Bounced mail carries information about SMTP server such as server name, version, and various services running on server * Grab the Banner of HTTP Servers : httprint(web server fingerprinting) * Grab the Banner of SMTP Servers - GNIt NT vul scanner capturesbanner messages from an SMTP server - Install the following - perl Makefile.PL - make - make test - make install - Required libraries Class::Accessor::Fast * Grab the Banner of FTP Server C:\echo quit | nc -vv -w 5 192.168.0.200 20-40 * GNU freeware tunneling software 'HTTPTunnel' * OS Fingerprint : netscantoolspro, nmap * Check for ICMP Responses (Type 3, Port Unreachable) - SYN scan is the default and most popular scan option for good reasons - The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2,3,9,10/13) is received * Check ICMP Responses (Type 8, Echo request) * Check ICMP REsponses A(Type 13, Timestamp Request) : nmap -sS -p X x.x.x.x * Check ICMP responses (Type 15, Information Request) * Check ICMP responses (Type 17, Subnet Address Mask Request) * -sU = UDP, -sS = SYN Scan * Port Scan TFTP Server(port 69) - PortQry = help troubleshoot TCP/IP connectivity issues - portqry -n myserver.example.com -p udp -e 69 * Test for NTP ports (123) nmap -sU -p 123 x.x.x.x * nmap -sU -p 161 x.x.x.x nmap -sU -p 162 x.x.x.x * Test Telnet Ports (23) nmap x.x.x.x -p http*,ftp,telnet * Test LDAP (389) portqry -n myserver -p udp -e 389 * Test for NetBIOS (135-139,445) nmap.exe -sS x.x.x.x -p 21,22,25,53,80,161,43 * Test NFS nmap -v -sR -p 2049 x.x.x.x * Test RDP nmap -sT -p 3389 X.X.X.X * Test SIP (5060) VOIP * VNC : port 5900, Java Viewer port 5800 * Scan SSL : nmap -F --sV x.x.x.x Scan SSH : nmap -sS -p 22 x.x.x.x 11.Internal Network Penetration Testing * Scan the Network - Angry IP - Network Scanner - FreePortScanner * Attempt to establish Null Sessions - Verify if null sessions are enabled on the target machine - C:\>nbtstat -a x.x.x.x net view \\x.x.x.x * Enumerate Users - Getacct - Winfingerprint * Sniff the Network - Wireshark - Tcpdump - Etherpeek / Omnipeek * Sniff pop3/FTP/Telnet - Dsniff - Ace Password Sniffer * Wireshark ip.src == ip_address ip.dst == ip_address tcp.dstport == port_no ip.addr == ip_address * Sniff Email messages / VOIP traffic - mailsnarf * Attempt Replay Attacks / MITM - Sniff the LM Manager hashes off the wire and replay the same password on target machine - l0phtcrack - Rainbowcrack - Cain & Abel * Attempt ARP Poisoning / ARP spoofing / ARP Cache poisoning / ARP poison routing a. ARPspoof b. ARPoison c. Ettercap d. Parasite * Attempt MAC Flooding - ARP Cache poisioning a. macOf Tool macof -i eth1 -n 10 macof -i eth1 -d x.x.x.x * MITM 1. DNS cache poisioning 2. ARP spoofing a. DNSA b. Dnsspoof c. TinyDNS d. DNSCache e. Arpoison f. Arpspoof g. Ettercap h. Parasite * DNS Poisioning C:\WINNT\system32\drivers\etc x.x.x.x company.com a. DNSSpoof b. DNSA * Knoppix / Alternate OS and steal the SAM file #mount -f vfat -o ro /dev/hda1 /mnt/hda1 #cp /mnt/hda1/windows/system32/config/sam #cp sam /dev/fd0 #umount /dev/hda1 #halt * Keylogger a. KGB Spy b. Realtime-Spy c. SpyAgent d. Elite Remote Keylogger * Trojan a. Netcat C:\>nc -lvp 2222 #nc x.x.x.x 2222 b. Beast c. E-Mailer * Meterpreter kali linux * Rootkit * Hide Folder XP / 2012 a. AB Hide folder b. Stealth folder c. Folder security personal * Steganography a. Image hide b. Snow * Escalate user privileges $chmod 755 getRoot whoami : customer ./getRoot whoami : root $id uname -a ./CVE2010-4258 id = root * Capture HTTPS HTTP Analyzer * Capture RDP Wireshark, cain * Wireshark src host 10.10.10.10 dst host 10.10.10.10 ip proto \tcp OR tcp ip proto \udp OR udp ip proto \icmp OR icmp * CoreImpact - Automated Tool Metasploit Canvas - Automated Tool Internet Scanner - iss-internet-scanner NetRecon : symantec.com CyberCop : nai.com Nessus Cisco Secure Scanner Retina : eeye.com * Document Everything 12.Firewall Penetration Testing * Packet Filtering - Data header is checked a. Stateless packet filtering b. Stateful packet filtering c. Address filtering d. Network filtering * BlackICE PC Protection * Types of Firewall a. Packet Filters OSI layer 3 Internet protocol b. Circuit level gateways OSI layer 4 TCP monitor TCP handshaking c. Application level gateways Proxies OSI layer 5 Application d. Stateful multilayer inspection firewalls Combine 3 above Expensive * Locate the firewall hping2 abcd.com -c2 -S -p23 -n ICMP unreachable type 13 from 10 10 2 3 * tracert www.abcd.com * Port scan nmap -n -vv -P0 -p256,1080 <abcd.com> * Grab the Banner C:\>nc -nvv 10.0.0.1 80 * Create custom packets #hping 10.0.0.5 -c 2 -S -p 23 -n * Test Enumeration nmap -sA x.x.x.x * Test Firewall using firewalking TTL exceeded error = firewall is open * Test for Port Redirection fpipe -l 80 -r 139 x.x.x.x datapipe 80 139 x.x.x.x * Test covert channels | install backdoor WWW reverse shell * Test HTTP Tunneling HTTPORT HTTHOST 13.Intrusion Detection System Testing * Types of IDS a. Network Based IDS (NIDS) are placed at a strategic point b. Host Based IDS (HIDS) * IDS Testing Tool : IDS Informer bladesoftware.com Firewall Informer Snort 14.Password Cracking Penetration Testing * Password Cracking Technique - Social Engineering - Shoulder surfing * Type of PAssword Cracking Attacks - Dictionary Attack - Brute Force Attack - Hybrid Attack : like a dictionary attack but adds some numbers and symbols - Syllable Attack : Combination of both brute force attack and the dictionary attack - Rule-Based Attack : the attacker gets some information about the password * /etc/passwd and /etc/shadow bisa juga di /etc/security/passwd /secure/etc/passwd * FILE SAM c:\winnt\system32\etc\SAM Extraction Tools : - SAMDUMP - PWDUMP - L0phtcrack * SMB nat -u userlist.txt -p passlist.txt testing IP_ADDR * Build a Dictionary of word lists - Dictionary maker - Pass list * Brute Force Passwords - Brutus : www.antifork.org/hoobie.net - Cerberus Internet Scanner - Crack : www.users.dircon.co.uk/~cypto - CyberCop Scanner : www.nai.com - Inactive Account Scanner : www.waveset.com - L0phtcrack - Legion and NetBIOS Auditing Tool(NAT) : www.hackersclub.com - John the Ripper,SAMDump,PWDump,PWDump2,PWDump3 - SecurityAnalyst : www.intrusion.com - TeeNet : www.phenoelit.de - WebCrack : www.packetstrom.deceptions.org - Munga bunga - Password cracker Unix : NIS/yp * Logon password - HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon * dsniff - SwitchSniffer v0.8.0 * Replay attack : Ethereal, TCP dump, WinDump * SAMInside (pwdump) * Dictionary maker * Password List Recovery - Anti-Secure Ultimate Password Recovery 15.Social Engineering Penetration Testing * Social Engineering tricks Phone scams, hoaxes, and email scams fakesurvey A good social engineer will conduct some background research on a company * SE by Vishing : pose as an employee of legitimate enterprise 16.Web Application Penetration Testing * Test for parameter-tampering attacks on website * Test for Cross Site Scripting - TemperIE - Paros proxy - Fiddler - Burp proxy * Test Cookie Attack * Bugtraq * Blind SQL injection : attacker attempts to exploit an app rather then getting a useful error message * Session Hijacking - Juggernaut - Hunt - TTY Watcher - T-Sight * Test for Xpath Injection Attack - Xpath 1.0 is a language used to refer to parts of an XML document * SSI Injection (Server-side include) : server-side exploit technique that allows an attacker to send code into a web application, which will lalter be executed locally by the web server * Test for XML Content-Level - webscarab tool (use it as a proxy to capture the HTTP traffic) * Test for malicious SOAP Attachments - Search web service definition language(WSDL) which accpets attachment * Testing Tools - Acunetix - SPIKE Proxy - WebserverFP : HTTPD fingerprinting - KSES - Mieliekoek.pl - Sleuth : www.sandsprite.com/Sleuth/download.html - Webgoat - AppScan - URL Scan 17.SQL Penetration Testing * SQL Server port : 1433 sqping3cl.exe * Absinthe tool : Blind sql injection * osql utility : for default/common passwords * Brute force SA account : HydraGTK * Dict attack tool : cain and abel SQLdict 18.Penetration Testing Reports and Post Testing Ac 19.Database Penetration Testing * Run WinSID to find instances of Oracle database * Use tools such as Orabf to brute force password hashes oracbfscript.cmd hacker.list -c default.txt * Packet Sniffing tools - EtherDetect - Microsoft Network Monitor * Port Scanning Basic - TCP connect(): - Strobe : only looking for those services the attacker knows how to exploit * TNS Listener - tnscmd10g.pl status -h IP-address tnscmd10g.pl version -h IP-address - $ORACLE_HOME/bin/lsnrctl (listener control program) $ORACLE_HOME/network/admin/listener.ora (tns config file) $ORACLE_HOME/bin/tnslnsr (listening process) - Oracle Password Guesser (opwg) * Havij = automated SQL Injection tool SQLmap = opensource penetration testing tool 20.Wireless Network Penetration Testing * WirelessMon (Wireless monitoring) * Discovering rogue AP : stumble/netstumbler * PowerscanRF * Airodump * Airsnort tar -xzf airsnort-xx.tar.gz cd airsnort-xx ./autogen.sh make * Aircrack * Spoof MAC : Mac MakeUP * Airplay / airreplay * WEPWedgie to inject an encrypted packet : prgasnarf -c 1 * chopchop : tool that alllows to decrypt a single packet even without having knowledge of the WEP key #airreplay-ng --chopchop -b 00:18:E7: -h F4:09:D8: mon0 * Tools : - Airopeek - Airmagnet - Airsnort : recovers encryptions keys - WirelessMon - Dstumbler - dwepdump - Kismet - NetStumbler - Wireshark - Sniffer wireless - TCPDump - WEPCrack - aircrack-ng : airdump airplay aircrack airdecap - KisMAC 21.Mobile Devices Penetration Testing * Root an Android : SuperOneclick, superboot,universal androot,unrevoked * AnDOSid : DOS * ComDroid : detect app's communication vulnerabilities * Jailbreak : Redsnow,absinthe, snowbreeze, pwnageTool * msfcli -h * BBProxy * Elcomsoft phone password breaker 22.Cloud Penetration Testing Methodology * Public cloud and private cloud, hybrid cloud * Infrasctructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) * If you need milk, would you buy a cow?