The document discusses security testing that can be done by blue teamers. It recommends using Nmap to scan networks and map assets, using a vulnerability scanner to identify vulnerabilities, using open source intelligence tools to understand potential attack surfaces, and using Metasploit to test defenses by attempting exploits. It suggests using Kali Linux as a testing platform since it contains these tools preconfigured. The goal is to help blue teams gain visibility, identify issues, and verify that defenses work as intended.
5. Disclaimer
Make absolutely CERTAIN you have written permission
from the system owner/service provider before undertaking
ANY testing activities.
Laws vary from state to state and country to country.
When in doubt I consult my attorney, I suggest you do the
same.
In short: Don’t call me to bail you out! J
BigDatainInfoSec-BenFinke-@benfinke
7. What this presentation is…
• A guide on effective testing that makes your defenses better
• A security program that gives you information to make decisions
• A how-to on ensuring your defenses are doing what you think they are
BigDatainInfoSec-BenFinke-@benfinke
8. What this is not…
• How to hack your boss’s facebook account
• Step-by-step on building a botnet
• A one-size fits all process
• A shortcut
BigDatainInfoSec-BenFinke-@benfinke
9. Why bother?
Do you know what is on your network?
Any idea what you have facing the Internet?
Does that fancy firewall thing actually block bad stuff?
Can you tell if someone is attacking you?
BigDatainInfoSec-BenFinke-@benfinke
10. Why bother? This. We can do better.
BigDatainInfoSec-BenFinke-@benfinke
VerizonDataBreachInvestigationreport–2015-
http://www.verizonenterprise.com/DBIR/2015/
11. Yeah But…
Testing is so expensive!
We don’t have the budget
We don’t have the training
We don’t have the tools
BigDatainInfoSec-BenFinke-@benfinke
12. Nonsense.
It does take some time and some
learning, but you can do most of the
testing you’ll need, and be amazed what
you discover along the way.
You don’t need to spend a fortune either.
You got this.
BigDatainInfoSec-BenFinke-@benfinke
13. First Problem – Learn the Terrain
• Let’s map out EVERYTHING on your network
• Let’s find out what is connected and what services it’s running
• We need something that scales well, gives you some flexibility, and doesn’t
cost a fortune….
BigDatainInfoSec-BenFinke-@benfinke
15. nmap – Network Mapper
• Get it directly* from the nmap site: https://nmap.org/
• Open source
• Cross Platform
• Does way more than you think…..
• And we know its fantastic because…..
BigDatainInfoSec-BenFinke-@benfinke
*What happened to you SourceForge?? L
16. …Hackers use it in movies
https://nmap.org/movies/
BigDatainInfoSec-BenFinke-@benfinke
17. Digging into nmap
• Command line
• GUI – Zenmap
• Multiple output formats
• Can be easily incorporated into scripts and called from other applications
• GREAT documentation and community support
• Examples:
• nmap –A 172.20.10.0/24 –oA
• Demo Time!!
BigDatainInfoSec-BenFinke-@benfinke
19. Scanning Protips…
• If you scan something on the other side of the firewall, its going to be, well, wrong.
BigDatainInfoSec-BenFinke-@benfinke
20. Scanning Protips…
Know how the common scan options work…
• -sT – Make a TCP connection (SYN – SYN/ACK – ACK)
• -sU – Try to make a UDP service respond (I’d tell you a UDP joke, but you might
not get it).
• -sS – TCP SYN scan –(SYN – SYN/ACK) – sometimes called a “stealth” scan
• -sV – TCP scan and try to get the version
• -Pn – treat all hosts as online, skip discovery
• -O – enable OS detection
• Host discovery – ICMP Ping, Reverse DNS, TCP 80 and TCP 443
BigDatainInfoSec-BenFinke-@benfinke
21. Scanning Protips…
Choose a good scanning location
• Home and SMB routers often have a small state table, you may overrun that with
connections and produce false results in the scan
• Wireless connections can also cause timing and other congestion errors that effect
your scan
• If scanning over a VPN…. Try not to scan over a VPN
• If you have a sensitive host in a range, use –exclude
BigDatainInfoSec-BenFinke-@benfinke
23. Plenty of good
open source
projects to help
your custom
implementation.
BigDatainInfoSec-BenFinke-@benfinke
24. Use your existing tools to visualize!
BigDatainInfoSec-BenFinke-@benfinke
25. But wait, there’s more!
• ndiff – compare two nmap scans and show the
differences.
• Easily store output in code repository for easily historical
reference and change tracking
• NSE – Nmap Scripting Engine
BigDatainInfoSec-BenFinke-@benfinke
26. Let’s Get to Work
Do some scans of your network and view the results. Tune the scan options to
meet the need.
Found a lot of stuff you had no idea about, right? Good!
Automate that process through whatever means are comfortable – you want
the information, not more to do.
Run daily and review changes. Discuss with responsible parties when things
change unexpectedly.
Some people might complain that you are hassling them, but I say…
BigDatainInfoSec-BenFinke-@benfinke
30. Vulnerability Management
Vulnerability – a well known software flaw or misconfiguration that enables
an unauthorized person to change the state of an information system.
Put like a regular person – a missing patch or (likely default) setting that
means an attacker can ruin your day.
Vulnerability Management is NOT just a vulnerability scanner. While that
can help, vulnerability management is about knowing where you have what
so that when a vulnerability is announced you can gauge the risk and plan
accordingly.
BigDatainInfoSec-BenFinke-@benfinke
31. Vulnerability Scanners
A number of good ones exist. You might even own some of these today.
The Biggest mistake I see is that people don’t:
1. Tune the scanning policies
2. Cover the ENTIRE network
3. Do anything useful with the output
BigDatainInfoSec-BenFinke-@benfinke
32. Getting your VM on….
• Consult your vuln scanner vendor for how to on this.
• You likely have the ability to run “credentialed” scanning. Do this!
• Build a process to manage these vulns you’re going to be digging up
• Protip: Assign an “Application Owner” to every piece of inventory on the
network, and send out reports broken down by the responsible “owner” in
the infamous and oft-imitated stoplight chart
• Also known as “Weaponized Excel”
BigDatainInfoSec-BenFinke-@benfinke
33. How does a Vuln Scanner work?
1. Non-Credentialed Scanning
Following the selected scanning policy, performs discovery of available
services across the range of configured targets, begins service detection.
BigDatainInfoSec-BenFinke-@benfinke
Vuln Scanner Web Server
Hey, is TCP Port 80 Open? (SYN)
It sure is! (SYN/ACK)
Great! (ACK)
So, is this HTTP? (GET / HTTP/1.1)
For sure! (HTTP 200 OK – Server: IIS/7.5)
Check vuln DB for “IIS/7.5” vulnsVuln
DB
34. Service Detection
That HTTP header will drive a huge amount of the related findings that most vulnerability
scanners will report.
Either no test exists for over-the-network testing, or the test is potentially dangerous.
Other tests like TLS* cipher testing are actively tested for and observed directly.
When False Positives occur, service detection is often why. Credentialed scanning can
remove lots of these false positives.
BigDatainInfoSec-BenFinke-@benfinke
* All your SSL stuff is turned off, right? Right. Good.
35. Automate this too!
• Schedule a scan in your vuln scanner and put the scan file someplace.
• This Powershell code let’s you slice and dice the results. Thanks to Carlos
Perez (@darkoperator):
[xml]$report = Get-Content –Raw .scan.nessus
$report_hosts = $report.NessusClientData_v2.Report.ReportHost
$report_hosts | foreach {$_.ReportItem} | where {$_.severity -ne 0} |
ConvertTo-HTML > nessus-report.html
You can even set conditions on which item goes in the report, so you can run a
couple of these and email them to whoever needs them….
BigDatainInfoSec-BenFinke-@benfinke
36. Your Arsenal
1. Nmap – free
2. Vuln Scanner - $2K/year
BigDatainInfoSec-BenFinke-@benfinke
Total Cost - $2000
38. What would an attacker know?
One of the most common goals of a 3rd party security assessment is “Find out
what an attacker out on the Internet would find.”
I have some great news for you….. You can do this yourself, probably a lot
easier than you think!
BigDatainInfoSec-BenFinke-@benfinke
A small sampling of free and inexpensive tools at your disposal!
39. Advanced Google Hacking Searching
BigDatainInfoSec-BenFinke-@benfinke
http://www.businessinsider.my/how-to-be-a-google-power-searcher-2014-7/
40. Shodan HQ
• Google search for what’s on the Internet…
BigDatainInfoSec-BenFinke-@benfinke
44. Test your Defenses
You recently invested in the industry leading Ultra Premium Anti-APT Cyber
Sentinel v1000 system. Hooray!
Does it actually work? I mean, the way its supposed to? Are you sure?
BigDatainInfoSec-BenFinke-@benfinke
45. If it detects intrusions, you should intrude!
BigDatainInfoSec-BenFinke-@benfinke
You should send actual attack traffic through the device to see if
1. It blocks, slows, or at least marginally disrupts it.
2. It tells you about it.
3. You can reconstruct what happened from the Blue team side.
Fortunately, you don’t need to write your own exploit code, we’ll just use Metasploit!
Mac
Attack!
46. Metasploit – An Intro
Metasploit is a framework that makes security testing easier.
It covers:
• Mapping and Recon
• Exploitation
• Post Exploitation
• Exfiltration
But even if you just want to see if an IPS actually P’s something, it works
great for that too!
Lots and lots of great community support and tutorials available online.
BigDatainInfoSec-BenFinke-@benfinke
47. Your Arsenal
1. Nmap – free
2. Vuln Scanner - $2K/year
3. Open Source Intel – Free
4. Metasploit- Free
BigDatainInfoSec-BenFinke-@benfinke
Total Cost - $2000
49. “Sure” you’re saying…
“Now I get to spend hours and hours installing this stuff on my system and
trying to keep it all running. How much time am I going to waste just getting
this stuff in place?”.
Almost none at all. In fact, it’s a really good practice to keep your testing kit
separate from the system you surf the web and check your email on.
We need a way to get to all of this tools quickly. It would be a nice benefit if
our testing system was easily portable, ran on whatever we had lying around
to use, and was easy to keep up to date.
Which leads us right to….
BigDatainInfoSec-BenFinke-@benfinke
51. Kali Linux
• Purpose built Linux distribution for security testing
• Hundreds of tools built in and working
• Available as (https://www.kali.org/)
– ISO Image
– Virtual Machine image
– Docker Image(!)
– Raspberry Pi Image(!!)
BigDatainInfoSec-BenFinke-@benfinke
52. Raspberry Pi – Just like Mom used to make
BigDatainInfoSec-BenFinke-@benfinke
53. VirtualBox
• Cross Platform (Windows, Mac, *NIX)
• FREE (as in beer)
• Run guest VMs on your laptop!
• Boot2Docker
I know what you are thinking….
BigDatainInfoSec-BenFinke-@benfinke
54. Isn’t Oracle the Evil Empire?
BigDatainInfoSec-BenFinke-@benfinke
Maybe, but absolutely not for
this. Thanks Oracle (and
Sun) for VirtualBox!
55. Your Arsenal – Kali Edition
1. Nmap
2. Vuln Scanner
3. Open Source Intel
4. Metasploit
BigDatainInfoSec-BenFinke-@benfinke
Ready to Go!
56. Your Arsenal
1. Nmap – free
2. Vuln Scanner - $2K/year
3. Open Source Intel – Free
4. Metasploit- Free
5. Flexible Testing Platform - Free
BigDatainInfoSec-BenFinke-@benfinke
Total Cost - $2000
58. Blue Team Nirvana
• A complete and accurate network inventory
• Know your exposure to vulnerabilities
• Know what the Internet knows about your network
• Verify your defenses and alarms work as designed.
BigDatainInfoSec-BenFinke-@benfinke
66. Great Resources
• The nmap book - http://nmap.org/book/
• Metasploit Unleashed - https://www.offensive-security.com/metasploit-unleashed/
• How To Videos on SecurityTube - http://www.securitytube.net/
• Community Discussion - http://www.reddit.com/r/AskNetsec
• Netsec Students - http://www.reddit.com/r/netsecstudents
BigDatainInfoSec-BenFinke-@benfinke