Penetration Testing &

Countermeasures

Paul Fong & Cai Yu

CS691
5 May 2003
Security Penetration Services
Goal: help
organizations
secure their
systems
Skill set:
equivalent to
system
administrators
Record keeping &
ethics
Announced vs. Unannounced
Penetration Testing
Announced testing Unannounced testing
Pros Pros
Efficient Greater range of
Team oriented testing
Cons Cons
Holes may be fixed as Response may block
discovered & block further penetration
further penetration Requires strict
False sense of escalation process
security Impact operations
Rules of Engagement
Type of attacks
allowed (no DoS)
Off-limits machines
& files (passwords)
Designated
machines or
networks
Test Plan
Contacts
Penetration Testing Phases
Footprint
Scanning/Probing
Enumeration
Gain Access
Escalate Privileges
Exploit
Cover Tracks
Create Backdoors
Footprinting
Profile target
passively
Address blocks
Internet IP
addresses
Administrators
Techniques
Googling
Whois lookups
Scanning/Probing: nmap
Active probing
NMAP
Port scanner
www.insecure.org
Discovers:
Available Hosts
Ports (services)
OS & version
Firewalls
Packet filters
Scanning/Probing: nessus
www.nessus.org
Vulnerability
scanning
Common
configuration errors
Default
configuration
weaknesses
Well-known
vulnerabilities
Enumeration: hackbot
Identify accounts,
files & resources
Ws.obit.nl/hackbot
Finds:
CGI
Services
X connection check
Gaining Access: packet captures
Eavesdropping
Ethereal,
www.ethereal.com
Physical Access
Boot loader & BIOS
vulnerabilities
GRUB loader
No password
Allows hacker to
boot into single-
user w/root access
Password crackers
John the Ripper
Crack
Wireless Security
War driving with
directional antenna
Wired Equivalent
Privacy (WEP)
vulnerabilities
Penetration Tools:
WEPcrack
AirSnort
Counter Measures 1
Update latest patches.
Change default settings/options
Setup password and protect your
password file.
Install anti-virus software and keep it
updated.
Counter Measures 2
Install only required softwares, open
only required ports.
Maintain a good backup.
Set BIOS password, system loader
password, or other passwords that
necessary.
Have a good emergency plan.
Counter Measures 3
Monitor your system if possible.
Have a good administrator.
Future Improvements
Correction of weaknesses uncovered
by the penetration exercise
Automate and customize the
penetration test process
Use of intrusion detection systems
Use of honeypots and honeynets
Demo: Retina Network Security
Scanner
Created by eEye Digital Security, Retina Network
Security Scanner is recognized as the #1 rated
network vulnerability assessment scanner by Network
World magazine.
Retina sets the standard in terms of speed, ease of
use, reporting, non-intrusiveness and advanced
vulnerability detection capabilities.
Retina incorporates the most comprehensive and up-
to-date vulnerabilities database -- automatically
downloaded at the beginning of every Retina session.
Bibliography
Klevinsky, et. al. Hack I.T.-Security Through Penetration
Testing. ISBN 0-201-71956-8.
McClure, et. al. Hacking Exposed: Network Security
Secrets and Solutions, 2nd edition, ISBN 0-07-222742-7.
Sage, Scott & Lear, Lt. Col. Tom. A Penetration Analysis of
UCCS Network Lab Machines, March, 2003. UCCS course
CS691c.
Warren Kruse, et. al. Computer Forensics. ISBN 0-201-
70719-5
Ed Skoudis, et. al. Counter Hack. ISBN 0-13-033273-9
Lance Spitzner, et. al. Honeypots. ISBN 0-321-10895-7
Retina network security scanner,
http://www.eeye.com/html/Products/Retina/index.html