HOW TO HACK DAY 1

Penetration 101 - Introduction to becoming a
Penetration Tester (day 1)

Introduction
Over the past two years we have been hearing in the news about many more Denial of
Service attacks on high profiled companies like Yahoo and Microsoft. We have also
been hearing that hacking attacks and website defacement are becoming more
frequent and are happening to thousands of companies worldwide. Time has come
where we need to protect ourselves from everyone out there be it our company rivals,
the seasoned hacker or just Joe Bloggs teenager down the road. We need to protect
our company’s infrastructure like we do with our homes and personal property. Two
to three decades ago, people would be quite happy to leave their houses and cars
unlocked, and even doors to their houses left wide open due to low crime levels.
Time is constantly evolving and the world is getting a much worse place to live and
work in. To better protect your network you need to know about current and past
vulnerabilities and patch all equipment as soon as vulnerability patches are made
available. However this alone will not protect you. Everyone is human (or at least in
this day and age), and we all make mistakes. Whether it’s granting full access
permissions to a server by accident, to not setting a password on the administrator
account because it makes life easier for us to manage. No matter how much patching
you do to your environment; the systems can still be vulnerable to attack. This is
where Penetration Testing comes in.
Hackers and other people who might want to get into your network will perform
attacks on your systems. You need to find what they do and to perform these same
sorts of attacks to try and attempt to penetrate your network and to locate
compromised systems.


What is Penetration Testing
Penetration testing involves performing various reconnaissance scans against your
perimeter defenses, boundary routers, firewalls, switches, network devices, servers,
and workstations to allow you to see which devices are within your environment and
to determine the overall plan of the network and topology. Once this has been
gathered, you can then collate this information and then look at an attack vector to try
and penetrate identified systems to see if they can be compromised by using known
vulnerability scans, attacks and denial of service attacks. When performing
penetration testing you are essentially taking on the role of the hacker. You will be
looking at using tools like PING to detect if hosts are live, port scanners for any hosts
that may deny ICMP Echo/Reply requests (PING’s) and to also identify which ports
are open on devices enabling you to create a footprint of what these devices are used
for. (10)
The overall plan is to map out the entire network and to make sure any vulnerable
devices are known and patched frequently.


Why do we perform Penetration testing ?
Hackers like to spend most of their time finding holes in computer systems where
mostly bad coding are to blame in creating vulnerabilities. Hackers then like to take
this knowledge and apply it to real world scenarios by attacking your network. They
may be doing this as a grudge because they weren’t hired by your company, or
perhaps was fired at some stage or even they don’t like your company, or just want to
get a Kudos kick out of saying, been there, done that! To try and protect our
computer systems from these hackers, we need to check for known vulnerabilities and
exploits ourselves within our systems. Vulnerabilities can comprise of bugs,
application back doors, spy ware that have entered into the coding of the application,
operating system or firmware at development time of the product or files that have
been replaced at a later date in the form of viruses or Trojans.
Over the past two years we’ve seen many hackers performing denial of service attacks
against ISP’s (1), Banks (2), and even world governments (3). Carnegie Mellon
Software Engineering Institute a Computer Emergency Response Team (CERT) and
many other CERT’s collate known and new vulnerabilities across all systems,
platforms and applications and publish these to the security community and to the
companies who have created the systems in a hope that people will become more
aware of vulnerable systems and also to allow the creator’s of these products to create
and distribute patches for their products. In the event of a patch taking a while, in
most cases a technical work around is published to harden the systems that may be
affected by this vulnerability.


Outsourcing :
Outsourcing penetration testing can be a very costly exercise and one that you might
want to only perform once a year. The problem with most networks is that they are
constantly changing. People move equipment around the office or between office
locations and also install software on PC’s and servers, so penetration testing only
gives you a snapshot of compromised systems at that moment in time to give you a
guide. You also have to be extra vigilant when employing a security testing company.
You need to make sure they have liability insurance! Do they come with certified
security credentials? (4) Do they bait and switch ? (5) or do they employ real life
hackers which have their own agenda ?


My Network is secure!
“I understand all of what you have said, but my network IS secure, why should I
authorize spending all this money on checking our network when it is not necessary?”
The simple answer is insecurity. You may think you are secure, but in most cases
companies find that once they have had their first penetration test performed that most
of their personal, private and highly confidential data is or can be compromised very
quickly and in some cases left wide open for anyone to view, even your closest
competitors! People around the world prior to September 11th 2001 believed even
though there were wars happening across international borders, that each country was
secure within it's own territory. September 11th showed us that absolutely nobody is secure. Be it from a terrorist stand point from allowing bombs, plastic explosives and
terrorists onto planes which can be easily hijacked, or to securing our networks from
these same class of people or hackers who stealth themselves online which are now
taking war to the next level – Cyber Crime and Cyber Terrorism.


My network isn’t connected to the Internet, so why should I worry?
Attacks don’t just come from the Internet. Although the majority of attacks do, you
will find hackers running programs called war dialers to target telephone exchanges
within your company, dialing in remotely to your network remote access points, or
some hackers have the plain nerve just to walk into your offices, sit down at a
workstation and start working from there. You can even find your own staffs are
trying to hack into internal servers to look at sensitive company data like payroll. If
someone came into your office and sat down at a vacant desk with a computer on it,
would you get up and ask who they are and tell them to leave? Most people don’t,
because they prefer to avoid conflict. They would just happily assume this person has
been brought into the company as a contractor, an installer or perhaps a new member
of staff. Also be aware as technology is still evolving at a terrific rate that many
companies are now adopting wireless networks. There has already been a case where
RSA Security drove through the City of London armed with only a laptop, wireless
network card and some free software downloaded from the internet and found it could
pick up the traffic on dozens of corporate WLAN’s, ‘leaking’ out of buildings which
could invariably allow them to grab companies data without anyone in that company
knowing. There have been a few substantiated reports that even an empty tin of
Pringles will make a good wireless antenna/receiver (6,7,9)


The ultimate goal to penetration testing :
The ultimate goal is to see how secure your network is or from a hacker’s point of
view, how insecure your network is currently. You need to be able to test all systems
that are on your network, no matter which operating system or application they run.

If there's one thing you need to remember it’s this… ALL SYSTEMS ARE
VULNERABLE! Some more than others, but no system is ever 100% secure either
now or in the future. If your network hasn’t had any penetration tests performed, and
you don’t consistently patch all hardware, operating systems and applications with the
latest security patches then you could find your network being a massive target for
attack. To penetration test you will need to scan your systems both internally and
externally to see what information you can get back. Hackers will want to get at
devices on your network; most will probably be doing this from the Internet, or trying
to dial in to your remote access servers. Do you have any dial-up modems attached to
desktop PC’s and phone lines? If so, try dialing into these and performing penetration
testing. Some hackers may just want a kudos kick to say “Hey I’ve been there and
done that”, and post it up to some of the hacker sites or defacement sites to show how
good they are. Some will want to get at your personal data for their own use, sell it on
or perhaps use it for blackmail or perhaps for industrial espionage.
The testing you will be performing will show to what extent your systems are at risk
so you can pro-actively gain support from management of which is very important
and allow you to start putting together a security policy and a patching schedule of
systems. This patching schedule should not only be for core systems, but all
systems! Do not leave any stone unturned. If you have test PC’s on your network,
patch them! Don’t leave them so they are still vulnerable. If you just have one or two
devices that are vulnerable on your network, these could be used to spread viruses,
Trojans and other hacking programs or allow a hacker into your system and to
compromise other cleaner systems.


Creating the Penetration Test Kit
1. Test Environment
Set up a test environment creating a network of multiple devices. Penetration testing
can be very dangerous to systems if you start using hacking tools or are
experimenting. This is why it’s best to only test these on a test environment before
using them against real-life devices. You may also find that some of the tools you
have downloaded contain a virus or other Trojan code planted within the installation
scripts or programs. Make sure you are running at least one of the top antivirus
programs that are fully up to date. Scan the programs before use. Also make sure
you’ve scanned for Trojans (most antivirus products don’t scan for all known
Trojans!). Try a program like Pest Patrol (http://www.pestpatrol.com), scan your
entire test environment (including within compressed files). Discard anything that
may have a virus or Trojan, and see if you can locate a clean version of the program
you found. If not, discard the program, as it will probably do you more harm than
good! Using a test environment is key to penetration testing. This way you can avoid
scanning, attacking or creating denial of service attacks on production network
devices within your company when getting to grips in learning how to penetration
test.
2. Hardware

You should now be ready to start creating your Penetration Test Kit. You will need 3
or 4 PC's of approx 300Mhz or faster with as much ram as you can afford because you
will be installing multiple operating systems and applications onto these devices that
you have in your real world network. If you prefer to go the VMWare
(http://www.vmware.com) route, which is highly regarded then you will require a fast

PC, greater than 1Ghz and have 512mb or greater. Most modern day laptops come
with this specification and would be ideal if your networks are split over multiple
sites, because you can then take your entire penetration kit with you and test from
multiple networks rather than having it tied down to one location. VMWare will
allow you to emulate a PC environment in a window from an operating system and
software perspective. You can run multiple workstations and servers within this
Virtual Machine environment and keep it off the company network, but still have the
Virtual Machines networked with each other. VMWare also allows you to undo the
changes since last power on, so if you’ve managed to crash a virtual machine and it
won’t restart, power it off and discard changes since last power on. It's a very
powerful application; a very fast emulator and will save you time having to rebuild
your test environment when it crashes. Do not underestimate it.

3. Operating Systems
You will need to have basic fundamental knowledge of both Linux and Windows.
Enough to build the operating systems, log in as administrators and configure
hardware like network cards and install and configure software. The majority of
security tools are found on Linux, although in the past few months I have seen an
increasingly larger selection of these tools being ported to Windows platforms.


4. Researching Security tools
You will need to spend a lot of time surfing the Internet for security tools. Once you
have spent what seems like weeks and weeks of extensive research, you will see some
of the same tools reappearing time and time again. What does this tell you? Probably
that these tools are a popular tool used by the security community, and that they are
likely free or very cheap. Most of these security tools are written by security
consultants to better automate testing of systems to make their life easier. You will
find that the security community continuously updates these applications as more
vulnerabilities are discovered. Think for a moment, if you’re using these tools to
penetration test your network, it’s most likely that hackers are also using the same
style of tools! So this will give you a better understanding of what hackers are
actually using out in the wild.
Make a note of each application you come across. Before long you will have a short
list of probably two to three dozen packages, some running under Microsoft
platforms, and some running under Linux/Unix platforms. Most of the best security
analyses tools on the Internet to date are written to run under Linux and Unix based
systems. The main reason for this is that the network stacks are more interoperable
and generally have better performance than tools that are written on Microsoft
platforms.


5. Recommended Tools to research
·  Redhat 7.2 Enimga Linux
http://www.redhat.com

·  Trinux
http://trinux.sourceforge.net
Trinux is a good command based Linux operating system that
comes on a floppy disk and installs itself into RAM with a
RAM Drive. Trinux brings together a comprehensive list of
command line based security tools built around a Linux
operating system. You can also download extra modules that
can be downloaded on each boot from the Trinux website and
installed into RAM for the current session. An ideal solution if
you need to move around to multiple offices, prefer a command
line interface over a GUI interface and would prefer that you
have everything configured for you or if you want to run on a
low specification computer.
·  LanGuard Network Scanner
http://www.gfi.com/languard/
A fairly good port scanner for Windows and free!
·  Nmap
http://www.insecure.org
Nmap now comes in two flavors. One version for Linux and
one for Windows. The Linux version has better performance
but either will allow you to run regular port scans to advanced
stealth port scans to try and by-pass firewalls without being
detected.

·  Superscan

http://www.foundstone.com/knowledge/proddesc/superscan.ht
ml
A reasonable Windows port scanner. This will only perform
TCP port scans (which are regarded as somewhat “loud”),
where as other tools like Nmap will also give you better UDP
port scans allowing for stealth scans. It can be a quick tool to
run up if you want to scan something internally and not have to
worry about being in stealth mode.
·  Nessus
http://www.nessus.org
Nessus is a complete security scanner and vulnerability
database for Linux, which is free and gives you free updates to
the knowledge base on a regular basis. This will allow you to
configure scans against network devices and pick and choose
what style of scan or attack you would like to perform. Nessus
also utilizes other great penetration tools like Nmap giving you
full reports on your environment and links to potential security
fixes or work arounds. You can do anything from simple port
scanning to IIS or Operating System Denial of Service scans.
This is a must have tool for every Pen test kit!

·  SNMP Ping
mailto:snmptool@sans.org
SNMP is always a major vulnerability and easy configured by
accident on most network devices. This tool allows you to scan
subnets very quickly and determine which devices have SNMP
switched on and which SNMP traps are available.
·  Ethereal
http://www.ethereal.com
A good network protocol analyzer for both Linux and Windows
running your network card in promiscuous mode allows you to
sniff and capture data that flies past your workstation allowing
you to examine packets and see what data is being transmitted
across your network. A very good tool!
·  Ettercap
http://ettercap.sourceforge.net
Another network sniffer for Linux, but also works over a
switched network (where most network sniffers cannot) and is
very good at what it does.
·  TCP Dump
http://www.tcpdump.org
Another network analyzer for both Linux and Windows. This
is a command line based tool but can be very quick to write the contents out to file to examine network packets if you are in a
hurry in capturing some network data.

Conclusion
You should now have basic knowledge of how a hacker will work to penetrate your
network, what he will be looking for on your network and how to better protect
yourself against future attacks. Remember to keep your environment fully patched
and to perform penetration on a regular basis. Every 2-3 months would be a good
starting ground and will make you aware of new systems that have been installed on
your network without your knowledge.