Download - Butler

Powerpoint Templates Page 1

PRACTICE MAKES PERFECT. CREATION OF A PENETRATION TESTING

LABORATORY, PROCEDURES AND TOOLS, START TO FINISH.

LQT2 Multimedia Presentation by Thomas Butler Presented to the Information Technology College Faculty

of Western Governors University

in Partial Fulfillment of the Requirements for the Degree

Master of Science in Information Security and Assurance

February 26, 2013

http://www.powerpointstyles.com/



root@bt:~# WHOAMI?

Thomas Butler……Houston, Texas

CPA, CIA, CISA, CISSP, Security+, Network+, PMP

Over 20 years in DoD IT Audit (Retired)

Interested in IT Security & Penetration Testing

Started IT Security Consulting Co.-Dec 2011-http://www.butleritsec.com

Started WGU MS Degree-1 July 2012

WGU MS Degree Offers Credibility in IT Security




PRESENTATION OVERVIEW-PER THE RUBRIC

Why I Chose This Project

Overview of Problem

What Project Consisted Of

Special Strategies Used

Successes In Achieving Milestones

Obstacles Encountered

What I Learned

How I Will Apply What I Learned




WHY I CHOSE THIS PROJECT

A SERIOUS PROBLEM TO THE CYBERSECURITY OF THE NATION.

RESPONSE TO CURRENT CRITICISM THAT AVAILABLE SECURITY

CERTIFICATIONS DO NOT TEACH ENOUGH HANDS-ON PROCEDURES

AND THAT THEIR EXAMS DO NOT REQUIRE HANDS-ON BUT ARE

INSTEAD MULTIPLE CHOICE.

DOD AND OTHER GOVERNMENT AGENCIES CLAIM EMPLOYEES

OBTAINING AVAILABLE CERTIFICATIONS CANNOT DO THE JOB REQUIRED

DUE TO LACK OF HANDS-ON SKILLS. TRAINING NEEDS TO EMPHASIZE

MORE HANDS-ON AND LESS BOOK KNOWLEDGE. (refer to news article in page 6)

I COULD NOT FIND A TURN-KEY, OFF –THE-SHELF SOLUTION SO

I DECIDED TO CREATE ONE.

I GOT ALL THE CERTS , THE CEH, CHFI, CISSP, SECURITY+, CCENT, BUT I NEED

HANDS-ON PRACTICE OR I WILL COMPLETELY FORGET EVERYTHING

I LEARNED.

HANDS ON PRACTICE MAKES PERFECT AND INSTILLS CONFIDENCE.




OVERVIEW OF PROBLEM DISCUSSED IN PROJECT

THE PROBLEM! Practice on systems you do not own without

written permission is illegal.

Need more hands-on.

I needed:

A way to practice, ethically and legally

All-in-one document

Easy to follow. Easy to setup and use.

Free and/or cheap

I could not find anything that satisfied all my needs, therefore, I decided to do

this project to create a practice lab for myself. Hopefully the project will benefit

others as well.




CAUSES OF THE PROBLEM

High demand for penetration tests>government regulations & industry standards

a. PCI-DSS (Penetration Testing. Wikipedia, 2013) requires both annual and ongoing penetration testing

(after system changes).

a. FISMA -Federal Information Security Management Act (FISMA) via procedures promulgated by

NIST 800-53, Appendix E. (NIST 800-53, Rev. 3, 2009)

Shortage of well-trained penetration testers-THERE IS ARTICLE AFTER ARTICLE AFTER ARTICLE

a. A Barclay Simpson Corporate Governance Recruitment report on Information Security found that

the demand exceeds the supply of qualified penetration testers (Barclay Simpson, Corporate

Governance Recruitment, 2011).

b. US Air Force is planning on going on a “hiring binge” to hire 1,000 persons in cyber operations in

2014 (Magnuson, 1/17/2013). National Defense Industrial Association Magazine, 2111 Wilson Blvd.,

Suite 400, Arlington, VA 22201, Air Force Cyber-Operations Wing to Go on Hiring Binge).

c. Experts say DoD cyber workers undertrained By Zachary Fryer-Biggs - Staff writer

Posted : Saturday Feb 16, 2013 12:38:06 EST in the Federal Times a Gannett Pub.

http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification-

021613/?goback=.gde_54384_member_216288717

”Money is not being spent on hands-on training.” Others focused on the lack of hands-on training

required, resulting in broad certifications that are required for many jobs but are not specific

to any of them. Book training is simply not enough.”



http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification-021613/?goback=.gde_54384_member_216288717








MORE CAUSES OF THE PROBLEM

Requires almost daily training reinforcement practice, or skills rapidly lost.

Every day new hacking software is introduced. Every day new vulnerabilities

are discovered.

How do you keep up if everything changes so rapidly?

Penetration testing is unique and very difficult because skills must be

transferred by computer keyboard>very labor intensive>requires humans to

think “outside the box”. No two infrastructures or system requires the same

penetration testing procedures.

How do you use what was learned in CEH when testing the client’s systems?




STILL MORE CAUSES OF THE PROBLEM




WHAT THE PROJECT CONSISTED OF

The project is documented in appendices A through G.

Appendix A: Creation of the Penetration Testing Lab

Appendix B: Penetration Testing Methodology

Appendix C: Reconnaissance and Information

Gathering

Appendix D: Active Scanning and Enumeration

Appendix E: Exploitation

Appendix F: Post-exploitation and Covering Tracks

Appendix G: Technology Terms/Acronyms





Appendix A: Creation of the Penetration Testing Lab

Three virtual machines created within a Windows Vista OS using FREE

VMWare Player community edition

“Attack Machine” FREE Linux Ubuntu “Backtrack5R3”

”The pen testers premier OS and toolkit.”

“Victim Machine” FREE Linux “Metasploitable”- OS-Created by Metasploit Project to allow hands-on practice

“Victim Machine” FREE Trinux “Badstore.net”-

vulnerable OS and Web App

Did I say FREE?





Appendix B: Penetration Testing Methodologies

Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from:

http://www.pentest-standard.org/index.php/Main_Page

Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved

2013 from: http://www.isecom.org/research/osstmm.html

Certified Ethical Hacker (CEH), (2013) Ethical Hacking. Retrieved 2013 from:

http://eccouncil.org

NIST 800-53, Appendix E. Retrieved from:

http://csrc.nist.gov/publications/PubsSPs.html#800-53






http://www.isecom.org/research/osstmm.html

http://eccouncil.org/

http://csrc.nist.gov/publications/PubsSPs.html





Appendix C: Reconnaissance and Information Gathering

In summary of reconnaissance and foot printing, we have used the following for legal, passive,

reconnaissance and information gathering on J.C.Penney and have provided screen print proof

of concept (picture worth a thousand words). These tools are included in Backtrack5R3 or built

into command line.

Google-website URL, tons of other info;

Netcraft-OS & Web server running and IP address;

SmartWhoIs-Domain Registrar information

theHarvester-Emails and Sub-domains;

Maltego-Subdomains;

traceroute/tracert command line-traces routers from origin to destination;

nslookup command line-finds IP address from domain name>Linux “dig” and “host” are

alternatives, but NA in Windows





Appendix D: Active Scanning and Enumeration

Using scanning tools in Backtrack5R3, we performed active scanning of

Metasploitable and Badstore.net, our “victims.” We provided screen

prints (picture worth a thousand words)for proof of concept. All these

tools are included in BT5R3.

Nmap-port scan, OS version, services running;

Nessus-port scans and vulnerability scans;

Nikto (Wikto-Windows)-port scans and vulnerability scans;

Metasploit-port, OS version, services running, vulnerability





Appendix E: Exploitation with Metasploit

Metasploit-included free in Backtrack5R3-msfconsole. Proof of concept

screen prints (picture worth a thousand words) included in project.

Command line: root@bt:~# /pentest/exploits/framework2/msfconsole

OR>

root@bt:~# /opt/metasploit/msf3/msfconsole

modules: auxiliary, exploits, payloads

We also used Armitage-a GUI for Metasploit

Command line: root@bt:~# /opt/metasploit/msf3/armitage

modules: auxiliary, exploits, payloads





Appendix F: Post-exploitation and Covering Tracks

Not a lot of in-depth information available on this topic!

Post-Exploitation: Got Root?, Elevation of privilege=Create

user, Add user to Admin Group; Offline and online password

attacks, John the Ripper, Pass the Hash, Cain and Abel.

Covering Tracks: Use Metaspoit to delete Event Logs. Use

Metasploit to remove file timestamps.





Appendix G: Technology Terms/Acronyms

Includes 33 definition of terms




SPECIAL STRATEGIES USED

Member of 41 Linked-In IT Security Groups>To share

information with IT security groups

Subscriptions to 35 IT Security Tutorial Blogs>To learn IT

security and ethical hacking

750 Linked-In Connections>To share information with IT

security individuals

Some basic knowledge of HTML, SQL, PYTHON




SUCCESSES IN ACHIEVING MILESTONES

All files were downloaded and installed successfully with no problems

All three virtual machines were successfully created, opened

simultaneously, and run simultaneously on my Windows Vista box

with no memory problems. My Windows box has 4 G RAM and

I allocated 1G RAM for the “attack” machine and .5G RAM for each

“victim machine” leaving approx. 2 G RAM for the Windows box.

All penetration testing tools were run successfully and proof of concept

screen prints were obtained for all tools.




OBSTACLES ENCOUNTERED

Limitation: Lab only includes software. Practice in this lab will not encounter

Hardware firewalls, routers, switches, hardware intrusion systems,

and other hardware security devices that would be encountered in a

real world penetration test.

I somewhat lacked an intermediate programming knowledge. I recommend

that the penetration testing student learn the following programming languages:

HTML to understand http requests and responses for use of

web proxies like Paros Proxy, Webscarab Proxy, Burp Proxy

SQL to understand SQL injection for use of tools like

SQLMap and manual injection of code

PYTHON to understand most of the penetration testing tools

in Backtrack5R3 for tools like theHarvester. The predominant

language for most tools in BT5R3 is python.

root@bt:~# ./theHarvester.py




WHAT I LEARNED

A penetration test should not just be to gain access and get a shell and quit. It should be an audit of

the IT security posture and the goal should be to identify as many vulnerabilities as possible that need

fixing.

Money is wasted on training-Companies with a lot of money and the US Government (DoD) will send

their employees to SANS training for a 4 day crash course. Costs of travel, hotel, per diem, salary,

SANS Course fee could be > $10K for one student. Student returns to work and still cannot

do the job. (refer to recent news article in slide 6)

There has to be a better way. WGU is part of the solution to a better way

Cyberlaw, regulations, and compliance-Penetration testing without written permission is

illegal. Some regulations and industry standards require periodic penetration testing, i.e.

PCI-DSS, FISMA.

Leadership and professionalism-penetration testing is not a true profession like CPA, law,

medicine, etc. There is no barrier to entry. A barber needs a state license;

a penetration tester does not. Anyone can hold themselves out to be a penetration tester.

High ethical standards should be required for penetration testers.

Background checks, criminal checks, financial and credit checks, REFERENCES,

memberships in IT security organizations, and certifications.




WHAT I LEARNED

Security Planning and Management- Organizations need to:

Start with a framework and set of internal controls such as ISO 27000/27001/27002;

Set a reasonable policy that can be followed and enforced;

Employee training ;

Create policy that requires vulnerability scans, periodic penetration testing,

periodic IT security audits, and periodic IT policy compliance audits.

Systems Security No such thing as 100% security;

Penetration test is only one part of “defense in depth.” Perimeter defenses such as firewalls,

routers, switches, IDS/IPS, web application and database monitoring systems must be properly

configured;

Patches and AV must be kept up to date.

Log files must be filtered (quantity reduced) and suspicious log entries must be examined.




HOW I WILL APPLY WHAT I LEARNED

I will apply the knowledge to running the company

http://www.butleritsec.com , an IT Security consultant

Company

I will apply the knowledge to provide best value to

clients in a highly ethical way.

I will continuously study and practice hands-on.

I am just beginning to learn.



http://www.butleritsec.com/

http://www.butleritsec.com/


REFERENCES

Penetration Test, (2013) Wikipedia. Retrieved 2013 from: http://en.wikipedia.org/wiki/Penetration_test

NIST 800-53 and Federal Information Processing Standards (FIPS) 200 Retrieved from:

http://csrc.nist.gov/publications/PubsSPs.html#800-53.

Barclay Simpson, Corporate Governance Recruitment, (2011) Market Report on Information Security. Retrieved 2013

from: http://www.barclaysimpson.com/document_uploaded/BS_InfoSec_2011.pdf

Magnuson, (2013) National Defense Industrial Association Magazine, Air Force Cyber-Operations Wing to Go on

Hiring Binge. Retrieved 2013 from:

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1026&goback=.gde_1836487_member_20563

4892

Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-

standard.org/index.php/Main_Page

Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from:


Certified Ethical Hacker (CEH), (2013) Ethical Hacking. Retrieved 2013 from: http://eccouncil.org

Experts say DoD cyber workers undertrained By Zachary Fryer-Biggs - Staff writer

Posted : Saturday Feb 16, 2013 12:38:06 EST in the Federal Times a Gannett Pub.

http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification-

021613/?goback=.gde_54384_member_216288717



http://en.wikipedia.org/wiki/Penetration_test







http://eccouncil.org/









FINIS

A THANK YOU TO ALL THE WGU IT FACULTY

CINDY

WENDY

NORMA

CHARLES

AND MY MENTOR, BRETT

I HAVE THOROUGHLY ENJOYED THE EXPERIENCE

QUESTIONS FOR ME?

