Date post:01-Nov-2014
View:638 times
Download:3 times
Share this document with a friend
  • 1. PRACTICE MAKES PERFECT. CREATION OF A PENETRATION TESTING LABORATORY, PROCEDURES AND TOOLS, START TO FINISH.LQT2 Multimedia Presentation by Thomas ButlerPresented to the Information Technology College Facultyof Western Governors Universityin Partial Fulfillment of the Requirements for the DegreeMaster of Science in Information Security and Assurance February 26, 2013Powerpoint TemplatesPage 1

2. [email protected]:~# WHOAMI? Thomas ButlerHouston, TexasCPA, CIA, CISA, CISSP, Security+, Network+, PMP Over 20 years in DoD IT Audit (Retired) Interested in IT Security & Penetration TestingStarted IT Security Consulting Co.-Dec 2011-http://www.butleritsec.comStarted WGU MS Degree-1 July 2012WGU MS Degree Offers Credibility in IT SecurityPowerpoint TemplatesPage 2 3. PRESENTATION OVERVIEW-PER THE RUBRICWhy I Chose This Project Overview of ProblemWhat Project Consisted OfSpecial Strategies Used Successes In Achieving MilestonesObstacles Encountered What I Learned How I Will Apply What I LearnedPowerpoint TemplatesPage 3 4. WHY I CHOSE THIS PROJECTA SERIOUS PROBLEM TO THE CYBERSECURITY OF THE NATION. RESPONSE TO CURRENT CRITICISM THAT AVAILABLE SECURITYCERTIFICATIONS DO NOT TEACH ENOUGH HANDS-ON PROCEDURESAND THAT THEIR EXAMS DO NOT REQUIRE HANDS-ON BUT AREINSTEAD MULTIPLE CHOICE. DOD AND OTHER GOVERNMENT AGENCIES CLAIM EMPLOYEESOBTAINING AVAILABLE CERTIFICATIONS CANNOT DO THE JOB REQUIREDDUE TO LACK OF HANDS-ON SKILLS. TRAINING NEEDS TO EMPHASIZEMORE HANDS-ON AND LESS BOOK KNOWLEDGE. (refer to news article in page 6) I COULD NOT FIND A TURN-KEY, OFF THE-SHELF SOLUTION SOI DECIDED TO CREATE ONE. I GOT ALL THE CERTS , THE CEH, CHFI, CISSP, SECURITY+, CCENT, BUT I NEEDHANDS-ON PRACTICE OR I WILL COMPLETELY FORGET EVERYTHINGI LEARNED. HANDS ON PRACTICE MAKES PERFECT AND INSTILLS CONFIDENCE.Powerpoint Templates Page 4 5. OVERVIEW OF PROBLEM DISCUSSED IN PROJECTTHE PROBLEM! Practice on systems you do not own withoutwritten permission is illegal.Need more hands-on. I needed: A way to practice, ethically and legally All-in-one document Easy to follow. Easy to setup and use. Free and/or cheap I could not find anything that satisfied all my needs, therefore, I decided to do this project to create a practice lab for myself. Hopefully the project will benefit others as well.Powerpoint TemplatesPage 5 6. CAUSES OF THE PROBLEMHigh demand for penetration tests>government regulations & industry standardsa. PCI-DSS (Penetration Testing. Wikipedia, 2013) requires both annual and ongoing penetration testing (after system changes).a. FISMA -Federal Information Security Management Act (FISMA) via procedures promulgated by NIST 800-53, Appendix E. (NIST 800-53, Rev. 3, 2009)Shortage of well-trained penetration testers-THERE IS ARTICLE AFTER ARTICLE AFTER ARTICLEa.A Barclay Simpson Corporate Governance Recruitment report on Information Security found thatthe demand exceeds the supply of qualified penetration testers (Barclay Simpson, CorporateGovernance Recruitment, 2011).b.US Air Force is planning on going on a hiring binge to hire 1,000 persons in cyber operations in2014 (Magnuson, 1/17/2013). National Defense Industrial Association Magazine, 2111 Wilson Blvd.,Suite 400, Arlington, VA 22201, Air Force Cyber-Operations Wing to Go on Hiring Binge). c. Experts say DoD cyber workers undertrained By Zachary Fryer-Biggs - Staff writerPosted : Saturday Feb 16, 2013 12:38:06 EST in the Federal Times a Gannett Pub.http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification-021613/?goback=.gde_54384_member_216288717Money is not being spent on hands-on training. Others focused on the lack of hands-on training required, resulting in broad certifications that are required for many jobs but are not specific to any of them. Book training is simply not enough.Powerpoint TemplatesPage 6 7. MORE CAUSES OF THE PROBLEMRequires almost daily training reinforcement practice, or skills rapidly lost.Every day new hacking software is introduced. Every day new vulnerabilitiesare discovered.How do you keep up if everything changes so rapidly?Penetration testing is unique and very difficult because skills must betransferred by computer keyboard>very labor intensive>requires humans tothink outside the box. No two infrastructures or system requires the samepenetration testing procedures.How do you use what was learned in CEH when testing the clients systems? Powerpoint TemplatesPage 7 8. STILL MORE CAUSES OF THE PROBLEM Powerpoint Templates Page 8 9. WHAT THE PROJECT CONSISTED OFThe project is documented in appendices A through G. Appendix A: Creation of the Penetration Testing Lab Appendix B: Penetration Testing Methodology Appendix C: Reconnaissance and InformationGathering Appendix D: Active Scanning and Enumeration Appendix E: Exploitation Appendix F: Post-exploitation and Covering Tracks Appendix G: Technology Terms/AcronymsPowerpoint Templates Page 9 10. WHAT THE PROJECT CONSISTED OFAppendix A: Creation of the Penetration Testing LabThree virtual machines created within a Windows Vista OS using FREEVMWare Player community editionAttack Machine FREE Linux Ubuntu Backtrack5R3The pen testers premier OS and toolkit.Victim Machine FREE Linux Metasploitable-OS-Created by Metasploit Project to allow hands-on practiceVictim Machine FREE Trinux Badstore.net-vulnerable OS and Web AppDid I say FREE?Powerpoint TemplatesPage 10 11. WHAT THE PROJECT CONSISTED OFAppendix B: Penetration Testing MethodologiesPenetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from:http://www.pentest-standard.org/index.php/Main_PageOpen System Security Testing Methodology Manual, (2013) ISECOM. Retrieved2013 from: http://www.isecom.org/research/osstmm.htmlCertified Ethical Hacker (CEH), (2013) Ethical Hacking. Retrieved 2013 from:http://eccouncil.orgNIST 800-53, Appendix E. Retrieved from: http://csrc.nist.gov/publications/PubsSPs.html#800-53Powerpoint Templates Page 11 12. WHAT THE PROJECT CONSISTED OFAppendix C: Reconnaissance and Information GatheringIn summary of reconnaissance and foot printing, we have used the following for legal, passive,reconnaissance and information gathering on J.C.Penney and have provided screen print proofof concept (picture worth a thousand words). These tools are included in Backtrack5R3 or builtinto command line.Google-website URL, tons of other info;Netcraft-OS & Web server running and IP address;SmartWhoIs-Domain Registrar informationtheHarvester-Emails and Sub-domains;Maltego-Subdomains; traceroute/tracert command line-traces routers from origin to destination; nslookup command line-finds IP address from domain name>Linux dig and host arealternatives, but NA in WindowsPowerpoint Templates Page 12 13. WHAT THE PROJECT CONSISTED OFAppendix D: Active Scanning and EnumerationUsing scanning tools in Backtrack5R3, we performed active scanning ofMetasploitable and Badstore.net, our victims. We provided screenprints (picture worth a thousand words)for proof of concept. All thesetools are included in BT5R3. Nmap-port scan, OS version, services running; Nessus-port scans and vulnerability scans; Nikto (Wikto-Windows)-port scans and vulnerability scans; Metasploit-port, OS version, services running, vulnerabilityPowerpoint Templates Page 13 14. WHAT THE PROJECT CONSISTED OF Appendix E: Exploitation with MetasploitMetasploit-included free in Backtrack5R3-msfconsole. Proof of conceptscreen prints (picture worth a thousand words) included in project.Command line: [email protected]:~# /pentest/exploits/framework2/msfconsole OR>[email protected]:~# /opt/metasploit/msf3/msfconsole modules: auxiliary, exploits, payloadsWe also used Armitage-a GUI for MetasploitCommand line:[email protected]:~# /opt/metasploit/msf3/armitage modules: auxiliary, exploits, payloads Powerpoint Templates Page 14 15. WHAT THE PROJECT CONSISTED OFAppendix F: Post-exploitation and Covering TracksNot a lot of in-depth information available on this topic!Post-Exploitation: Got Root?, Elevation of privilege=Createuser, Add user to Admin Group; Offline and online passwordattacks, John the Ripper, Pass the Hash, Cain and Abel.Covering Tracks: Use Metaspoit to delete Event Logs. Use Metasploit to remove file timestamps.Powerpoint TemplatesPage 15 16. WHAT THE PROJECT CONSISTED OFAppendix G: Technology Terms/AcronymsIncludes 33 definition of termsPowerpoint TemplatesPage 16 17. SPECIAL STRATEGIES USEDMember of 41 Linked-In IT Security Groups>To share information with IT security groupsSubscriptions to 35 IT Security Tutorial Blogs>To learn IT security and ethical hacking750 Linked-In Connections>To share information with IT security individualsSome basic knowledge of HTML, SQL, PYTHONPowerpoint TemplatesPage 17 18. SUCCESSES IN ACHIEVING MILESTONESAll files were downloaded and installed successfully with no problemsAll three virtual machines were successfully created, opened simultaneously, and run simultaneously on my Windows Vista box with no memory problems. My Windows box has 4 G RAM and I allocated 1G RAM for the attack machine and .5G RAM for each victim machine leaving approx. 2 G RAM for the Windows box.All penetration testing tools were run successfully and proof of concept screen prints were obtained for all tools. Powerpoint TemplatesPage 18 19. OBSTACLES ENCOUNTEREDLimitation: Lab only includes software. Practice in this lab will not encounter Hardware firewalls, routers, switches, hardware intrusion systems, and other hardware security devices that would be encountered in a real world penetration test.I somewhat lacked an intermediate programming knowledge. I recommendthat the penetration testing student learn the following programming languages:HTML to understand http requests and responses for use of web proxies like Paros Proxy, Webscarab Proxy, Burp ProxySQL to understand SQL injection for use of tools like SQLMap and manual injection of codePYTHON to understand most of the penetration testing tools in Backtrack5R3 for tools like theHarvester. The predominant language for most tools in BT5R3 is python. [email protected]:~# ./theHarvester.py Powerpoint TemplatesPage 19 20. WHAT I LEARNEDA penetration test should not just be to gain access and get a shell and quit. It should be an audit ofthe IT security posture and the goal should be to identify as many vulnerabilities as possible that needfixing.Money is wasted on training-Companies with a lot of money and the US Government (DoD) will send their employees to SANS training for a 4 day crash course. Costs of travel, hotel, per diem, salary, SANS Course fee could be > $10K for one student. Student returns to work and still cannot do the job. (refer to recent news article in slide 6)There has to be a better way. WGU is part of the solution to a better wayCyberlaw, regulations, and compliance-Penetration testing without written permission is illegal. Some regulations and industry standards require periodic penetration testing, i.e. PCI-DSS, FISMA.Leadership and professionalism-penetration testing is not a true profession like CPA, law, medicine, etc. There is no barrier to entry. A barber needs a state license; a penetration tester does not. Anyone can hold themselves out to be a penetration tester.High ethical standards should be required for penetration testers. Background checks, criminal checks, financial and credit checks, REFERENCES, memberships in IT security organizations, and certifications. Powerpoint Templates Page 20 21. WHAT I LEARNEDSecurity Planning and Management- Organizations need to:Start with a framework and set of internal controls such as ISO 27000/27001/27002;Set a reasonable policy that can be followed and enforced;Employee training ;Create policy that requires vulnerability scans, periodic penetration testing, periodic IT security audits, and periodic IT policy compliance audits. Systems SecurityNo such thing as 100% security;Penetration test is only one part of defense in depth. Perimeter defenses such as firewalls, routers, switches, IDS/IPS, web application and database monitoring systems must be properly configured; Patches and AV must be kept up to date.Log files must be filtered (quantity reduced) and suspicious log entries must be examined.Powerpoint TemplatesPage 21 22. HOW I WILL APPLY WHAT I LEARNEDI will apply the knowledge to running the companyhttp://www.butleritsec.com , an IT Security consultantCompanyI will apply the knowledge to provide best value to clients in a highly ethical way.I will continuously study and practice hands-on.I am just beginning to learn.Powerpoint Templates Page 22 23. REFERENCESPenetration Test, (2013) Wikipedia. Retrieved 2013 from: http://en.wikipedia.org/wiki/Penetration_testNIST 800-53 and Federal Information Processing Standards (FIPS) 200 Retrieved from:http://csrc.nist.gov/publications/PubsSPs.html#800-53.Barclay Simpson, Corporate Governance Recruitment, (2011) Market Report on Information Security. Retrieved 2013from: http://www.barclaysimpson.com/document_uploaded/BS_InfoSec_2011.pdfMagnuson, (2013) National Defense Industrial Association Magazine, Air Force Cyber-Operations Wing to Go onHiring Binge. Retrieved 2013 from:http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1026&goback=.gde_1836487_member_205634892Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_PageOpen System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from:http://www.isecom.org/research/osstmm.htmlCertified Ethical Hacker (CEH), (2013) Ethical Hacking. Retrieved 2013 from: http://eccouncil.orgExperts say DoD cyber workers undertrained By Zachary Fryer-Biggs - Staff writerPosted : Saturday Feb 16, 2013 12:38:06 EST in the Federal Times a Gannett Pub.http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification-021613/?goback=.gde_54384_member_216288717Powerpoint Templates Page 23 24. FINISA THANK YOU TO ALL THE WGU IT FACULTYCINDY WENDY NORMACHARLESAND MY MENTOR, BRETTI HAVE THOROUGHLY ENJOYED THE EXPERIENCE QUESTIONS FOR ME? Powerpoint Templates Page 24

Popular Tags:

Click here to load reader

Reader Image
Embed Size (px)