RSSLinn

Review: Penetration Testing with BackTrack by Offensive Security Part 1

| September 3, 2009

pwb_box.jpgI have had the opportunity to enroll in the "Pentesting With BackTrack" course from Offensive Security. Over the next 30 days, I will be posting an update a week with my thoughts on the content that I have worked through in the previous week, along with experiences with labs, support, and also personal revelations. At the end, I am going to give a more objective report on the entire class, listing what I see as strengths, weaknesses, as well as benefits and deficits compared to other classes I’ve taken. So follow along, as I go from the period before the class starts, all the way through the exam.

The course is described by Offensive Security as, "‘Pentesting with BackTrack’ (previously known as Offensive Security 101) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet."

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Linn}

Continue Reading

Review: SANS SEC542 – Web App Penetration Testing and Ethical Hacking

| April 29, 2009

sans_logo.gifApplications are moving away from the desktop and onto the web.  With technologies like AJAX and Flash and the popularity of Mash-Ups and social networks, web application penetration testing is becoming increasingly important.  Pushes for penetration testing are being driven by compliance, regulation, and a desire to not end up on the evening news, so a quality web application penetration testing class has been long overdue.  SANS has stepped up to the plate and re-released SEC542 Web App Penetration Testing and Ethical Hacking as a 6-day course with stronger hands-on exercises and culminating with a final day where students perform a penetration test on the classroom network.  The original course was a 4-day version, but Kevin Johnson of InGuardians has updated and enhanced the content to contain many of the cutting-edge web application hacking techniques seen in the field today.

I recently had the opportunity to take the re-born SEC542 course in Orlando, Florida as part of the SANS 2009.  SANS 2009 was one of the larger yearly conferences that SANS offers with quality evening talks after classes which offered additional content for no additional cost. Some of SANS higher profile members presented fresh content ranging from Josh Wright’s talk on the risks associated with using personal wireless devices such as the Nike +iPod titled "Privacy Loss in a Pervasive Wireless World" to Ed Skoudis’ talk on cutting-edge tricks and techniques in "Secrets of America’s Top Pen Testers."  The secondary benefit of the large conferences was the ability to network with instructors and peers.  There were frequent opportunities to hang out and talk with SANS instructors and other students after hours, with impromptu events such as full-contact mini-golf, dinner and karaoke.  It is commonly known that an event is what you want to make of it, and SANS 2009 came through in spades in providing an educationally rich environment. So if an attendee didn’t take advantage of networking with those in the industry, then it certainly wasn’t SANS fault.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Linn}

Continue Reading

Video Tutorial: Pass-The-Hash Toolkit

| April 5, 2009

core_logo.gifRyan Linn is back with another video for your learning pleasure. This time he gives a video tutorial of an existing toolset, the Pass-The-Hash Toolkit by Hernan Ochoa (Core Security Technologies). Core describes it as, "The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!)."

So what does all that mean? As with his other videos, Ryan tackles this topic in a very easy to follow process. So watch along as he integrates the PTH Toolkit in a makeshift penetration test, and shows how an attacker can utilize credentials without ever having to crack a single password. Oh by the way, he cracks them, too. This way he can impersonate a legitimate user without knowing their password, and then again while knowing their password. Ryan then goes one step further with his talk at ChicagoCon 2009s on May 9 with fellow EH-Net Columnists, Brian Wilson, when they team up for Cain BeEF Hash: Snagging Passwords without Popping Boxes. They not only show you some of their cutting-edge research results, but also perform it in a live demo! Click for Conference Details.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Linn}

 

Continue Reading

Video: The 15-Minute Network Pen Test Part 2

| February 26, 2009

timebomb_sm.jpgThere are numerous tools used in the Penetration Testing (pen testing) process, and there are plenty of books that go into how to use the individual tools.  There are very few resources that discuss how the tools are used and how to approach the process.  Parts 1 and 2 encompass the basic outline of what was presented at a talk given to the Duke University ACM Chapter with some minor changes.

In Part 1, we took the viewer through the initial network recon stage through actual exploitation using Metasploit.  Initially the network is scanned through Nmap, and then continued with Nessus.  We importing the Nessus vulnerabilities directly into Metasploit, determined the corresponding modules for the specific host, then used the module to compromise a remote Microsoft Windows XP box.

Part 2 covers some of the post-exploitation tasks that a pen tester may use.  It begins with some basic Meterpreter tasks.  Meterpreter is a specialized pen testing shell that is included in Metasploit as a payload.  Using Meterpreter, password hashes are obtained from the exploited machine, and 0phcrack is used to crack the obtained passwords.  While the passwords are cracking offline, the viewer is taken back to Meterpreter in order to create a hidden cmd.exe shell on the remote host. Finally we create a new user and add that user to the Administrators group. Ready to see it in action?

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Linn}

 

Continue Reading

Video: The 15-Minute Network Pen Test Part 1

| January 21, 2009

timebomb_sm.jpgThere are numerous tools used in the Penetration Testing (pen testing) process, and there are plenty of books that go into how to use the individual tools. There are very few resources that discuss how the tools are used and how to approach the process.  When Henry Qin at the Duke University ACM Chapter approached EthicalHacker.net on doing a presentation for his organization on the tools and process of pen testing, I jumped at the opportunity.  The following videos encompass the basic outline of what was presented at Duke with some minor changes.

The first video takes the viewer through the initial network recon stage of pen testing and then follows up with actual exploitation using Metasploit.  Initially the network is scanned through Nmap, and after some basic discovery and information gathering, the scan continues to Nessus.  Nessus is a vulnerability scanning tool that allows the user to analyze a host for vulnerabilities, but also has the ability to export reports.  The video then walks the viewer through importing the Nessus vulnerabilities directly into Metasploit in order to determine which Metasploit modules correspond to the Nessus vulnerabilities for the specific host.  The module data is then used to compromise a remote Microsoft Windows XP box.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Linn}

 

Continue Reading