College project (Penetration testing)

[imp35713]

Hey guys, first off I have written permission from both my tutor and network administrator for this so no worries about the legal aspect.

Now thats out the way, I'm in my second year of a HND at my local college. Talking with my teacher about what could be a good idea for my major project they sugested I try penetration testing as it would be something different for me as I usually do programming.

So talking with my network admins they say's it's ok as they've seen me around and heard stuff about me so they think they can trust me. (Also if anything goes wrong they know where to come first!)

The network is made up of windows 2K work stations and each class room is switched. The server is running the latest windows server and using Active Directory.

I have a laptop running mandrake linux with some software such as ettercap, ettereal, nmap (having trouble getting password sniffers on there but that should be soon) which I can take in and use.

Now the really challenge is to do as much manually because I have to document everything I do and just using software to hack the network would make for a boring project.

I was wondering if you guys have any tips or advice about how to get started and what direction to take this?

Cheers in advance for your help

[Jonesy69]

If I were you I would start off here. Read up on the tools you will be using. Maybe try playing with a little Knoppix STD purely for the vast assortment of tools it offers.

[XTC46]

Plan yuor attack. Figure out how you are going to attack, what you are going to attack, objectives. Going in with no objective makes it very hard to stay focused. i mean how do you know if you are there if you dont know where there is. Is your goal to just get access to the network? or do you actually want to penetrate the server and get "root" access to it? Are you going for a DoS style attack and just dropping the network?

also MAKE SURE you keep the admins up to speed iwith what you are doing. Like if you plan on trying a DoS attack make sure they know so they dont freak out when stuff stops working. DONT attack the whole network, or vital equipment. If its equipment that when dropped stops a needed function then dont go after it first. Also for the conclusion I would fix the problems you do find.

Look up current known exploits for things. MS puts up proof-of-concept code so do alot of other companies for known vulnerabilities in their OS.

BUt Like I said before establish your goals before you start, it will make research on how to attack alot easier if you know what you are trying to accomplish.

[imp35713]

Hey guys, thanks of the posts so far.

I don't want to do a DOS as others do have to use the network and it isn't really my goal. My goal is to get "root" or one of the admin accounts. Sorry should of said that before. I've been keeping the techies informed when I've been doing some test so far so I have that angle covered.

If someone has some idea's of angles of attack or even some pointers as to holes in MS at the moment thats what I really need. I can port steal and collect passwords but they are encrypted and john the ripper is taking forever to crack the passwords I have collected. Anyone know a better tool to use?

Thanks for what's been sugested so far.

[ss2chef]

1st, yes DOS would be a worthless point of attack. It has almost nothing to do with "pen" testing and any @#$ can do it. It nets very little info about your org unless you are going to test things like response policies and the like.

Start by documenting as much as you can about your network and configurations. Only then will you have a platform to analyze possible attack points. How big is the network BTW? What are your physical access limitations?

Also, if you really want to put some egg on faces for your project, think information leaks. Too much time is spent on "root" this and "root" that. From the inside out, there are many many more risks to manage in addition to account attacks and privilege escalation. Security policies neither start nor end with computers and computer networks. Shoot you might even choose to audit
CM (configuration management) and disaster recovery policy and documentation...

Turn it into a real mind!#$ and turn that project into a job offer...

Post more info and I'm sure people here can help you get real crafty..

Peace and good luck!!

[Jonesy69]

If someone has some idea's of angles of attack or even some pointers as to holes in MS at the moment thats what I really need.

Just google for "microsoft vulnerability" Microsoft exploit" "microsoft proof of concept" and prepare for a landslide. Also check out www.packetstormsecurity.nl as they have a good collection of all things security

As far as cracking the passwd files try Cisilia, run atop openmosix! There was a thread on here recently regarding this. Or just google for cisilia. Basically what your doing is making a cluster focused on cracking that password file. Or just follow my advice on using knoppix STD, its all built in to the .ISO and burning a disk is alot easier than installing each package on each individual machine.. Setup is pretty straightforward too. Hope this helps

[zencoder]

Jonesy69, I think an important point to make in your project report would be physical access. It sounds like the intent of this is remote exploits (code, attacking services, etc.), but a mention of this aspect would be very beneficial. However, if there is no restriction on the types of access, you should include a short section on this attack vector beciause I can guaruntee you it is the easiest to exploit in the environment you describe.

But if you have the ability to go sit down at one of these boxes, drop a specially crafted CD, Floppy Diskette, or USB Flash Drive into the system and 'own' it, that should be at least mentioned or documented.

One of the biggest tenets of Information Security is 'if they have physical access to the box, they own the box'. This is a concept that has a foundation in the realm of physical security i.e. locksmiths. Technically, a safe is not rated on how 'hard' it is to penetrate, but on how long it would take to penetrate given a sustained level of effort. If you have a system with no floppy drive, no CD or DVD reader, no USB or IEEE 1394 ports, than you have made it marginally harder to physically crack. But don't leave me alone at the console with the intent to access it, or you'll regret the decision!

All the firewalls, antivirus, intrusion prevention, and host based security measures won't help you if I can pull the plug, crack the case, load a CD, and do my thing.

[NeuTron]

Originally posted here by imp35713
I can port steal and collect passwords but they are encrypted and john the ripper is taking forever to crack the passwords I have collected. Anyone know a better tool to use?

John is the fastest tool for cracking passwords on a single machine. It sounds like you have access to multiple computers though, so follow this tutorial if you want speed up that cracking process.

As far as finding your exploits, I suggest two sites (one was already mentioned). www.k-otik.com and www.packetstormsecurity.nl. Most of the exploit code you'll find at those and other sites wont compile without some fixing and tweaking but since you have pragramming background, you shouldn't have a problem getting them to a usable form.