Chapter 1 - Basic Pen Test

Chapter 1 - Basic Penetration Techniques
Basic Penetration Testing
SCAN Associates Berhad

Module 3 1-1
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
"Improving the Security of Your Site by Breaking Into it"

(Dan Farmer/Wietse Venema, 1993)
Module 3 1-2
Basic Pen-Test
Chapter 1 Basic Penetration Techniques
Module 3 1-3
Basic Pen-Test
Overview
Chapter 1 Chapter 2 Capture the Flag
Module 3 1-4
Basic Pen-Test
Basic Penetration Techniques

Intro to Pen Test What is Pen Test? Pen Test vs Vul Assessment vs Audit Information Gathering Footprinting Scanning Enumeration
Module 3 1-5
Basic Pen-Test

(cont.)
System Hacking Vulnerability Mapping System Hacking: Exploits Escalate privilege Trojan
Module 3 1-6
Basic Pen-Test

(cont.)
Capture the flag One victim Server Divide into groups 5 Flags to captured Bonus Flag extra point Use whatever resource available
Module 3 1-7
Basic Pen-Test
Objectives
Give exposure to participants on basic techniques of penetration test Common attacks and exploits used Hand-on training
Module 3 1-8
Basic Pen-Test
Introduction to Penetration Testing
Module 3 1-9
Basic Pen-Test
Why Penetration Test?

Find poorly configured machines that may have overlooked Verify that the security mechanisms are working To measure the security of a system, network or a business process
By a third party
To assess possible Risks To make the upper management "security aware Remember 99.9% secure = 100% vulnerable!
Module 3 1-10
Basic Pen-Test
Penetration Test - Goal

How much information about our network is publicly available ? Is it possible to compromise this and that system ? Is it possible to disturb business process X ? How effective work our security controls ?
Firewall AntiVirus / Spam / Content Filter Intrusion Detection Systems
Module 3 1-11
Is our Information Security Policy correctly enforced ? Can employees compromise workstation security? Are we safe ?" Basic Pen-Test
What can be tested?

Servers and Workstations
Web Server Database Server Domain Controller Workstations Network Devices Wireless Networks Dial-In Access VPNs
Infrastructure
Applications Employees (Social Engineering)

Module 3 1-12
Basic Pen-Test
Pen Test v. Vuln Assess v. Audit

What are the differences between a Penetration Test, a Vulnerability Assessment and an Audit? Many people use this terms interchangeably. There are actually distinct differences.
Module 3 1-13
Basic Pen-Test

From the FFIEC (Federal Financial Institutions Examination Council) Information Security booklet:
Penetration tests, audits, and assessments can use the same set of tools in their methodologies. The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.
Module 3 1-14
Basic Pen-Test

Penetration Tests. A penetration test subjects a system to the real-world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanisms effectiveness. Penetration tests generally are not a comprehensive test of the systems security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.
Module 3 1-15
Basic Pen-Test

Audits.
Auditing compares current practices against a

set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.
Module 3 1-16
Basic Pen-Test

Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.
Module 3 1-17
Basic Pen-Test

Pen Test Vuln Assess Audit
Initial Info Outcome
Limited Access to Internal Network Internal / External Medium
Limited
Full
List of Vulns Secure System External Short On System Long
Location Time
Module 3 1-18
Basic Pen-Test
Standards
Pete Herzogs's OSSTM - "Open Source Security Testing Methodology Manual"
Very practical approach Checklists of what and in which order to test List of tools
ISO 17799 / ISO 27001 Standard for Information Security

Focuses more on the policy and paper work side of security Extensive catalog of security controls Defines a standard for audits
NIST Guidelines for Network Security Testing

Module 3 1-19
Basic Pen-Test
The OSSTMM
OSSTMM Open-Source Security Testing Methodology Manual Version 2.2 at www.osstmm.org Developed by Pete Herzog, it is a living document on how to perform a penetration test. It defines how to go about performing a pen test, but does not go into the actual tools.
Module 3 1-20
Basic Pen-Test
Ethical Hacking?
Get Permission First !!! The difference between a hackers and a Security Analyst is PERMISSION Its an Offence under Computer Crime Act 1997
Findings are under strict NDAs (Non Disclosure Agreement) No information gathered during the test
is sent in clear text over the internet is used for personal profit
Code of Ethics
ISACA Code of Professional Ethics ISC2 Code of Ethics
Module 3 1-21
Basic Pen-Test
Common Pen Test Stage

Gathering Information Analyzing the Infra-Structure Analyzing the Machines
Fingerprinting Port / Vulnerability-Scanning Attacking the System / Proof of Concept
Analyzing Applications

Module 3 1-22
Functional / Structural Analysis Attacking Authentication and Authorization Attacking Data and Back-End Communication Attacking Clients
Basic Pen-Test
Information Gathering
Module 3 1-23
Basic Pen-Test
Interesting Fact
http://www.zoneh.org/en/defacements
Hundreds of defacement a day
Module 3 1-24
Basic Pen-Test
Interesting Fact (cont.)

Script Kiddies/ Ankle Biters / Crackers 50,000 - 100,000* Mostly malicious, Used canned code Attack weak servers randomly Hackers 5,000 - 10,000* Write their own code Know how to exploit know vulnerabilities Elite Hackers ~1,000* Can break almost anything Attack dedicated servers *According to Ira Winkler Author of Corporate Espionage
Module 3 1-25
Basic Pen-Test
Part I Footprinting
Module 3 1-26
Basic Pen-Test
Footprinting
Create a complete profile of an organizations security posture Domain names, network blocks, and individual IP addresses Internet, Intranet, remote access, and extranet
Module 3 1-27
Basic Pen-Test
Footprinting
1. 2. 3. 4. Determine the Scope of Activities Network Enumeration DNS Interrogation Network Reconnaissance
(cont.)
Module 3 1-28
Basic Pen-Test
1.Determine the Scope of Activities

Locations Related companies or entities Merger or acquisition news Phone numbers Contact names and email addresses Security Policies Links to other websites
Module 3 1-29
Basic Pen-Test
Example
Module 3 1-30
Basic Pen-Test
Example
Module 3 1-31
Basic Pen-Test
Example
(cont.)
Module 3 1-32
Basic Pen-Test
Example
(cont.)
Module 3 1-33
Basic Pen-Test
2. Network Enumeration
Organizational Domain Network Person of Contact (POC)
Module 3 1-34
Basic Pen-Test
IANA
Internet Assigned Number Authority Address space to various registries is listed here http://www.iana.org/assignments/ipv4-addressspace APNIC - Pacific Rim ARIN - North America RIPE NCC - Europe
Module 3 1-35
Basic Pen-Test
IANA (cont)
Module 3 1-36
Basic Pen-Test
Organizational Query
InterNIC database whois standard Unix tool
[nazri@ns nazri]$whois "Universiti Teknologi Malaysia"@whois.arin.net [whois.arin.net] Universiti Teknologi Malaysia (JB-HST) JB.UTM.MY Universiti Teknologi Malaysia (KL-HST) KL.UTM.MY Universiti Teknologi Malaysia (NET-UTMNET) UTMNET 161.139.16.2 161.139.168.168 161.139.0.0
Module 3 1-37
Basic Pen-Test
Network Query
whois <IP-Address>@whois.arin.net whois <IP-Address>@whois.apnic.net whois <IP-Address>@whois.geektools.com
Module 3 1-38
Basic Pen-Test
whois Searching Tools

http://centralops.net/co/
Free online network utilities traceroute, nslookup, whois, ping, finger http://www.ipswitch.com Whois client UNIX WS Ping ProPack http://www.geektools.com Search multiple whois server
Module 3 1-39
Basic Pen-Test
Source of Whois Database

Whole Whois record is too big to store in a single server European IP http://www.ripe.net Asia Pacific IP http://whois.apnic.net U.S military http://whois.nic.mil U.S government http://whois.nic.gov American Registry- http://www.arin.net
Module 3 1-40
Basic Pen-Test
Example
Module 3 1-41
Basic Pen-Test
Example
Module 3 1-42
Basic Pen-Test
3. DNS Interrogation
Name server lookup Using NSLookup, we can perform Zone transfer to get information about other server in the DNS Zone transfer nslookup Host Mail Exchange (MX) Records
Module 3 1-43
Basic Pen-Test
What is DNS?
Domain Name System Translate host names like www.scanassociates.net into numerical IP addresses, like 219.93.36.235 Each node on the tree represents a domain. Everything below a node falls into its domain, ie: chichi.us.com, windy.us.com, them.com
Module 3 1-44
Basic Pen-Test
What is DNS? (cont.)

Most servers running BIND (Berkeley Internet Name Domain) During resolving name to IP: If the name server is unfamiliar with the domain name, the resolver will attempt to "solve" the problem by asking a server farther up the tree. If that doesn't work, the second server will ask yet another - until it finds one that knows.
Module 3 1-45
Basic Pen-Test
Zone Transfer
Zone defines network structure of a network Provides info inside the network IP of web server (if any) IP of mail server (if any) IP of test server (if any) IP of other server Using nslookup to copy the Zone from destination
Module 3 1-46
Basic Pen-Test
nslookup
[root@ns scan]#nslookup Default Server: ns.scan.utm.my Address: 161.139.189.189 > server ns1.host.net.my Default Server: ns1.host.net.my Address: 202.184.190.1 > set type=any > ls -d host.net.my > zone.out
Crafted IP and Host Name Most Linux/Solaris will not accept ls command anymore. BSD still OK! Will work if zone transfer is allowed.
Basic Pen-Test
Module 3 1-47
nslookup
[root@ns scan]#more zone.out > ls -d host.com.my. [ns1.host.net.my] $ORIGIN host.com.my. @ 6H IN SOA
(cont.)
fwgitn named ( 2000031005 2H 30M 5D 6H )
; ; ; ; ;
serial refresh retry expiry minimum
host host_notes localhost mail test
6H 6H 6H 6H 6H 6H 6H 6H 6H 6H 6H
IN IN IN IN IN IN IN IN IN IN IN
NS NS A MX A A A A A MX MX
fwgitn ns1.host.net.my. 202.184.190.69 5 @ 202.184.190.1 202.184.190.99 127.0.0.1 202.184.190.69 202.187.32.118 10 test 20 202.187.32.118
Basic Pen-Test
Module 3 1-48
nslookup
helpdesk1 helpdesk www gsb_oa fwgitn @ serial 2H refresh 30M retry 5D expiry 6H ) minimum
Module 3 1-49
(cont.)
6H 6H 6H 6H 6H 6H
IN IN IN IN IN IN
A A A A A SOA
202.184.190.20 202.184.190.19 202.184.190.69 202.184.190.3 202.184.190.2 fwgitn named ( 2000031005
; ; ; ; ;
Basic Pen-Test
Online nslookup
http://centralops.net/co/
(cont.)
Module 3 1-50
Basic Pen-Test
host
[sam@ns1 sam]$ host l mod.gov.my 202.185.193.1
ns.3div.mod.gov.my has address 219.93.4.2 acass.mod.gov.my has address 202.185.193.35 army.mod.gov.my has address 202.185.193.220 btmk.mod.gov.my has address 202.185.193.158 egdms.mod.gov.my has address 202.185.193.24 iqrak.mod.gov.my has address 202.185.193.98 komlek.mod.gov.my has address 202.185.193.165 library.mod.gov.my has address 202.185.193.100 lima.mod.gov.my has address 202.185.193.155 maf.mod.gov.my has address 202.185.193.29 mafca.mod.gov.my has address 202.185.193.102 mdic.mod.gov.my has address 202.185.193.22 moddns.mod.gov.my has address 202.185.193.1 modldap.mod.gov.my has address 202.185.193.17 modmail.mod.gov.my has address 202.185.193.12
Module 3 1-51
Basic Pen-Test
Mail Exchange (MX) Records

nslookup/host
6H IN A 6H IN MX test 6H IN A 6H IN MX 6H IN MX [root@ns HOST]#host 5 @ 203.187.32.118 10 test 20 203.187.32.118 -t mx host.com.my
Crafted IP and Host Name

203.184.190.69
host.com.my mail is handled (pri=5) by host.com.my
Testing?
[root@ns HOST]#grep -i test zone.out |wc -l 2
Module 3 1-52
Looking for easy target: testing server

Basic Pen-Test
4. Network Reconnaissance
Network Topology Potential Access Paths Technique: Tracerouting
Module 3 1-53
Basic Pen-Test
tracerouting
Determine their network topology as well as potential access paths into the network traceroute (UDP) Traceroute I (ICMP)
Module 3 1-54
Basic Pen-Test
traceroute
traceroute to www.shell.com (134.146.83.23), 30 hops max, 38 byte packets 1 192.168.169.254 (192.168.169.254) 26.150 ms 3.504 ms 1.501 ms 2 202.157.201.57 (202.157.201.57) 258.474 ms 131.664 ms 37.266 ms 3 202.157.193.29 (202.157.193.29) 59.062 ms 38.859 ms 52.235 ms 4 202.157.192.161 (202.157.192.161) 49.355 ms 47.173 ms 118.075 ms 5 202.157.200.5 (202.157.200.5) 247.272 ms 276.970 ms 291.244 ms 6 if-9-0-0.bb1.losangeles2.teleglobe.net (64.86.146.69) 256.115 ms 287.776 ms 234.535 ms 7 if-5-0.core1.losangeles2.teleglobe.net (64.86.80.66) 202.312 ms 317.045 ms 285.051 ms 8 if-3-0.core1.LosAngeles.Teleglobe.net (64.86.83.133) 258.911 ms 261.437 ms 341.887 ms 9 if-6-0.core1.SanJose.Teleglobe.net (207.45.193.85) 248.290 ms 232.595 ms 232.568 ms 10 if-2-0.core2.SanJose.Teleglobe.net (64.86.82.197) 272.511 ms 338.878 ms * 11 ix-4-0.core2.SanJose.teleglobe.net (66.198.96.2) 249.668 ms 237.584 ms 304.125 ms 12 0.so-0-1-0.XL1.SCL2.ALTER.NET (152.63.56.246) 347.472 ms 238.817 ms 358.732 ms 13 0.so-3-0-0.TL1.SAC1.ALTER.NET (152.63.53.250) 231.782 ms 330.669 ms 246.005 ms 14 0.so-7-0-0.IL1.NYC9.ALTER.NET (152.63.9.245) 394.607 ms 361.370 ms 346.364 ms 15 0.so-1-0-0.IR1.NYC12.ALTER.NET (152.63.23.62) 357.346 ms 301.236 ms 304.402 ms 16 so-5-1-0.TR1.AMS2.ALTER.NET (146.188.3.230) 443.982 ms 561.896 ms 398.444 ms 17 so-5-0-0.XR1.AMS6.ALTER.NET (146.188.8.77) 534.686 ms 459.494 ms 470.410 ms 18 pos1-0.gw5.ams6.alter.net (146.188.4.6) 520.899 ms 496.061 ms 482.176 ms 19 shells2-gw.customer.NL.UU.net (213.53.38.194) 548.650 ms 397.988 ms 396.365 ms 20 134.146.0.8 (134.146.0.8) 556.646 ms * 421.775 ms 21 wwwshell.com (134.146.83.23) 447.134 ms 476.217 ms 397.094 ms
Module 3 1-55
Basic Pen-Test
VisualRoute
www.visualroute.com Graphically map the path to destination
Module 3 1-56
Basic Pen-Test
http://navy.mod.gov.my
Module 3 1-57
Basic Pen-Test
Part II Network Scanning
Module 3 1-58
Basic Pen-Test
Network Scanning
Knocking on the walls to find all the doors and windows Determine which system is alive and reachable from the Internet
Module 3 1-59
Basic Pen-Test
Network Scanning
1. 2. 3. 4. Ping sweeps Port scanning Operating System Detection Automated discovery tools
(cont.)
Module 3 1-60
Basic Pen-Test
1. Ping Sweeps
Range of IP Address Range of Network Blocks Send ICMP ECHO (Type 8) Nutshell: Quickly send a ping to destination, and destination will reply Able to determine if a host is up or not
Module 3 1-61
Basic Pen-Test
Ping (ICMP type 8)

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k hostlist]] [-w timeout] destination-list Options:
-t -a -n -l -f -i -v -r -s -j -k -w
Module 3 1-62
count size TTL TOS count count host-list host-list timeout
Ping the specifed host until interrupted. Resolve addresses to hostnames. Number of echo requests to send. Send buffer size. Set Don't Fragment flag in packet. Time To Live. Type Of Service. Record route for count hops. Timestamp for count hops. Loose source route along host-list. Strict source route along host-list. Timeout in milliseconds to wait for each reply.
Basic Pen-Test
Example
F:\>ping 192.168.1.254 Pinging 192.168.1.254 with 32 bytes of data: Reply from 192.168.1.254: bytes=32 time<1ms Reply from 192.168.1.254: bytes=32 time<1ms Reply from 192.168.1.254: bytes=32 time<1ms Reply from 192.168.1.254: bytes=32 time<1ms TTL=255 TTL=255 TTL=255 TTL=255
Ping statistics for 192.168.1.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Module 3 1-63
Basic Pen-Test
Example
This site blocks ICMP
F:\>ping 202.185.193.1 Pinging 202.185.193.1 with 32 bytes of data: Reply from 202.185.193.1: bytes=32 time=4118ms TTL=243 Request timed out. Request timed out. Request timed out. Ping statistics for 202.185.193.1: Packets: Sent = 4, Received = 1, Lost = 3 (75% loss), Approximate round trip times in milli-seconds: Minimum = 4118ms, Maximum = 4118ms, Average = 4118ms
Module 3 1-64
Basic Pen-Test
nmap
http://www.insecure.org/ Nmap ("Network Mapper") is an open source utility for network exploration or security auditing Can be used to do Ping Sweep looking for active hosts
Module 3 1-65
Basic Pen-Test
nmap (cont.)
http://www.insecure.org/ Installation Two options
1. RPM 2. Compile from the source
Nmap for Windows
Module 3 1-66
Basic Pen-Test
nmap (cont.)
nmap -sP 203.106.5.224-255
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Host Host Host Host Host Host Host (203.106.5.225) appears to be up. (203.106.5.226) appears to be up. (203.106.5.227) appears to be up. (203.106.5.228) appears to be up. (203.106.5.231) appears to be up. (203.106.5.241) appears to be up. (203.106.5.254) appears to be up.
Host (203.106.5.255) seems to be a subnet broadcast address (returned 1 extra pings). Nmap run completed -- 32 IP addresses (7 hosts up) scanned in 72 seconds
Module 3 1-67
Basic Pen-Test
nmap (Specified Port)

[sam@ns1 /]$ nmap -sP -PT80 203.106.5.224-255 TCP probe port is 80 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host rtr.scan-associates.net (203.106.5.225) appears to be up. Host ns1.scan-associates.net (203.106.5.226) appears to be up. Host (203.106.5.227) appears to be up.
Host www.scan-associates.net (203.106.5.228) appears to be up. Host Host Host (203.106.5.231) appears to be up. (203.106.5.241) appears to be up. (203.106.5.254) appears to be up.
Nmap run completed -- 32 IP addresses (7 hosts up) scanned in 2 seconds
Module 3 1-68
Basic Pen-Test
2. Port Scanning
It is a process of looking for running services in a host Telnet, FTP, SSH, WWW are all services We use port scanning to determine if a host is running these services Find port open by a Trojan horse (backdoor)
Module 3 1-69
Basic Pen-Test
Port Scanning
Favorite Ports www ftp telnet Windows Sharing DNS RPC 80 21 23 139 53 111
(cont.)
Module 3 1-70
Basic Pen-Test
netcat
Written by Hobbit (hobbit@avian.org) Can be downloaded from many security sides like: http://packetstorm.decepticons.org/ Renown as Swiss army knife Many features Can be used to do port scanning
Module 3 1-71
Basic Pen-Test
netcat
Default: TCP nc v z -w2 <IP> <Port>-<Port> nc v z -w2 203.106.5.224 1-1024 UDP nc v -u z -w2 203.106.5.224 1-1024
(cont.)
Module 3 1-72
Basic Pen-Test
Network Mapper (nmap)

Parameter sS is stealth scanning, usually undetectable Require root access nmap sS <IP> nmap sS 203.104.5.224 nmap sS 203.104.5.1-254
Module 3 1-73
Basic Pen-Test
nmap Decoy scans

Using decoy scanning to make the scanning appear to be from multiple decoy IPs Make victim reply to decoy IPs as well as to your IP The more decoy IPs, the harder the detection However, the decoy IP must be an active IP nmap sS <IP> -D decoy_ip
Module 3 1-74
Basic Pen-Test
SuperScan
Port scan and fingerprinting User friendly report in html format can do simple password brute force
Module 3 1-75
Basic Pen-Test
SuperScan
Module 3 1-76
Basic Pen-Test
SuperScan
Module 3 1-77
Basic Pen-Test
3. OS Detection
Identify the type of Operating System Useful during vulnerability-mapping phase Technique: Stack Fingerprinting
Module 3 1-78
Basic Pen-Test
Why Finger Printing?

Why?? Attacker needs to know specific OS and application version Narrow down specific exploit that his/her can used against the victim Technique commonly used Nmap O telnet www.netcraft.com/whats
Module 3 1-79
Basic Pen-Test
nmap
Port scanner + OS Detection nmap O <IP Address> Example: nmap O localhost
Module 3 1-80
Basic Pen-Test
http://www.netcraft.com
Web Server Version
Module 3 1-81
Operating System
Basic Pen-Test
Telnet to Web Server

C:\Documents and Settings\ennie\My Documents>nc -vv www.mod.gov.my 80 Warning: inverse host lookup failed for 202.185.193.57: h_errno 11004: NO_DATA www.mod.gov.my [202.185.193.57] 80 (http) open HEAD / HTTP/1.0 HTTP/1.0 200 OK Date: Tue, 17 May 2005 06:35:03 GMT Content-Type: text/html Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.10 Via: 1.1 NetCache (NetCache NetApp/5.6.2D4)
Module 3 1-82
Basic Pen-Test
Exercise
telnet www.victim.gov.my 80 Type: HEAD / HTTP/1.0 <enter> <enter>
Module 3 1-83
Basic Pen-Test
Answer
C:\Documents and Settings\ennie\My Documents>telnet www.mod.gov.my 80 HTTP/1.0 200 OK Date: Tue, 17 May 2005 06:42:23 GMT Content-Type: text/html Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.10 Via: 1.1 NetCache (NetCache NetApp/5.6.2D4)
Module 3 1-84
Basic Pen-Test
winfingerprint
http://winfingerprint.sourceforge.net WinFingerPrint Determine OS using SMB Queries -PDC (Primary Domain Controller) -BDC (Backup Domain Controller) -NT MEMBER SERVER/WORKSTATION -SQL SERVER -NOVELL NETWARE SERVER -WINDOWS FOR WORKGROUPS/WINDOWS 9X -DOMAIN\NetBIOS Name Check Service Pack
Module 3 1-85
Basic Pen-Test
Winfingerprint
(cont.)
Module 3 1-86
Basic Pen-Test
5. Automated Discovery Tools

Cheops http://www.marko.net/cheops Integrates ping, traceroute, port scanning, OS detection (via queso) Cheops is an Open Source Network User Interface. It is designed to be the network equivalent of a swiss-army knife, unifying your network utilities. Display your network lay out in graphical form
Module 3 1-87
Basic Pen-Test
Cheops
Module 3 1-88
Basic Pen-Test
Part III - Enumeration
Module 3 1-89
Basic Pen-Test
Enumeration
Extract valid account or exported resource names Level of intrusiveness involves active connections and directed queries
Module 3 1-90
Basic Pen-Test
Enumerated Information
Network Resources and Shares Users and Group Applications and Banners
Module 3 1-91
Basic Pen-Test
Windows
Domains with net view C:\net view /domain C:\net view /domain:<domain-name> NetBIOS Shares C:\net view \\<host-name> NetBIOS Auditing Tool (NAT)
NetBios Info
nbtdump
Module 3 1-92
Basic Pen-Test
Windows
User and Group Enumeration C:\nbtstat A <IP-Address> Null Sessions net use \\192.168.1.33\IPC$ /u: Application and Banner Enumeration telnet Netcat
(cont.)
Module 3 1-93
Basic Pen-Test
Further Info Gathering

http://www.netcraft.com http://www.zone-h.org Common Operating Systems BSD, Solaris, NT, Linux
Module 3 1-94
Basic Pen-Test
http://www.netcraft.com
Module 3 1-95
Basic Pen-Test

Chapter 1 - Basic Pen Test

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 1 - Basic Pen Test

Uploaded by

Copyright:

Available Formats

Chapter 1 - Basic Penetration Techniques

Basic Penetration Testing

SCAN Associates Berhad

Chapter 1 - Basic Penetration Techniques

"Improving the Security of Your Site by Breaking Into it"

Chapter 1 - Basic Penetration Techniques

Chapter 1 Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Introduction to Penetration Testing

Chapter 1 - Basic Penetration Techniques

Why Penetration Test?

Chapter 1 - Basic Penetration Techniques

Penetration Test - Goal

Chapter 1 - Basic Penetration Techniques

What can be tested?

Applications Employees (Social Engineering)

Chapter 1 - Basic Penetration Techniques

Pen Test v. Vuln Assess v. Audit

Chapter 1 - Basic Penetration Techniques

Pen Test v. Vuln Assess v. Audit

Chapter 1 - Basic Penetration Techniques

Pen Test v. Vuln Assess v. Audit

Chapter 1 - Basic Penetration Techniques

Pen Test v. Vuln Assess v. Audit

Auditing compares current practices against a

Chapter 1 - Basic Penetration Techniques

Pen Test v. Vuln Assess v. Audit

Chapter 1 - Basic Penetration Techniques

Pen Test v. Vuln Assess v. Audit

Initial Info Outcome

Limited Access to Internal Network Internal / External Medium

List of Vulns Secure System External Short On System Long

Chapter 1 - Basic Penetration Techniques

ISO 17799 / ISO 27001 Standard for Information Security

NIST Guidelines for Network Security Testing

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Common Pen Test Stage

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Interesting Fact (cont.)

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

1.Determine the Scope of Activities

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques

Chapter 1 - Basic Penetration Techniques