0. introduction Hacking Information Security - uni … · Hacking Information Security ... • Pentesting is a subset of ethical hacking ... code of Android OS, 8pt? 31 Thomas Kemmerich

Thomas Kemmerich

Hacking - Network Security Introduction0. introduction

BaSoTi 2016 - Tallinn 1

Hacking

Information Security

A practical course in Ethical Hacking

1

Thomas Kemmerich



Thomas Kemmerich, PHD Associated Professor NTNU i Gjøvik Norway E-mail: [email protected] Tel. +47 611 35229

Teaching:Computer Networks, Network Security, Computer Forensicsand Ethical Hacking

Research:Networks, Cloud Security and Digital Forensic Readiness

201-Hacking-Network-Security - 25 July 2016

Thomas Kemmerich



CCIS: Center for Cyber and Information Security Opening Conference 15. August 2014 in Gjøvik

20 Professor only for Information Security up to 35 PhD Students biggest centre for Cyber and Information Security in Europe

3

Thomas Kemmerich




Thomas Kemmerich



COINS:School of Computer and Information Security PhD-Program is part of CCIS

CCIS: Center for Cyber and Information Security Opening Conference 15. August 2014 in Gjøvik

20 Professor only for Information Security up to 50 PhD Students biggest centre for cyber crime and Information Security in Europe

5

Thomas Kemmerich




Thomas Kemmerich



Informatio

n Security

7

Thomas Kemmerich



Ethical Hacking


Thomas Kemmerich



Who has experience in Hacking?

What was the intention do do it?

Which tools did you use?

What where the results?

‘This slides are produced according to the lecture ‘Ethical Hacking!’ from Lasse Øverlier, Høgskolen i Gjøvik

9

Thomas Kemmerich



General Behaviour (Ethics)• usage of knowledge and tools only for GOOD

• usage of knowledge and tools only: with your own systems and networks or with systems and networks you are allowed to investigate, proofed by a written agreement

Don’t use your knowledge or tools just for fun!!Do only things you understand!!

‘This slides are produced according to the lecture ‘Ethical Hacking!’ from Lasse Øverlier, Høgskolen i Gjøvik


Thomas Kemmerich



By default:• “Ethical Hacking” is Hacking (Pentesting)

• “Unethical Hacking” is Cracking

This is very often mixed

11

Thomas Kemmerich



Literature:

• The Basics of Hacking and Penetration TestingEthical Hacking and Penetration Testing Made Easy Patrick Engebretson, Elsevier, 2011

• Web Penetration Testing with Kali Linux Joseph Muniz, Aamir Lakhanihttp://it-ebooks.info/book/3000/

• Gray Hat Hacking- The Ethical Hacker's Handbook, 4th Edition, 2015, Regaldo et al.


Thomas Kemmerich



Literature:• Kali Linux

www.kali.org

• aircrackhttp://www.aircrack-ng.org/

• kismethttp://www.kismetwireless.net/documentation.shtml

• nmap http://nmap.org/book/man.html

13

Thomas Kemmerich



Course Structure:

• Lectures of the theoretical aspects • Practical Hacking

- planning - hacking exercise- documentation

• Discussion about the process


Thomas Kemmerich



Course Exams:

• Part 1: Planing Report • Part 2: Hacking Report • Part 3: Written Exam

15

Thomas Kemmerich



Pactical Pentesting:

• working in groups of five students

• writing your plan and report group wise

• cooperation between groups: YESsame plan and report (wording) in different groups: No == F

• sending the plan or report after deadline will not be accepted


Thomas Kemmerich



Exam:1. Part: Plan and Report of your Hacking experiment here in this course:- Plan What is the goal of your pen testing How will you reach the goal Step by step plan including a rough timeline (here are not only technical aspects relevant)

33,3% of the grade

Delivery date: 04.08.2016, 0:00 by email [email protected]

1-2 pages

17

Thomas Kemmerich



Exam:2. Part: Plan and Report of your Hacking experiment here in this course:- Report What did you do? What kind of difficulties did appear? Results of each step Overall description of the Pentest What would you improve next time?

33,3% of the grade

Delivery date: 06.8.2016, 0:00 by email [email protected]

max. 2-3 pages


Thomas Kemmerich



Exam:3. Part: - Written exam:

3-4 questions about the concepts of ‘Ethical Hacking’

Sunday, 8. of August

33,3% of the grade

19

Thomas Kemmerich



Information Security Basics

from Basel Katt, NTNU, Norway

• (Data) Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity].

• (Data) Integrity:The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.

• Availability:The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them.


Thomas Kemmerich



Information Security BasicsTerminology based on RFC 2828• Vulnerability:

A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.

• Threat:A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. I.e., a threat is a possible danger that might exploit a vulnerability.

21

Thomas Kemmerich



Information Security BasicsTerminology based on RFC 2828

• Attack: An assault on the system that derives form an intelligent threat i.e., an intelligent act that is deliberate attempt to evade security services and violate the security policy of a system.

• Risk: An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.


Thomas Kemmerich



Information Security BasicsTerminology based on RFC 2828

• Adversary: An entity that attacks, or is a threat to a system

• Countermeasure: An action, device, procedure, technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.

• System resource (asset): Data contained in an information system, or a service provided by the system, or a system capability, such as processing power or communication bandwidth, or an item of system equipment, or a facility that houses system operations and equipment.

23

Thomas Kemmerich



Why do we learn Hacking?• Understand the:

- methodology - goals - tactics - skills - tools of the enemies


Thomas Kemmerich



Why do we learn Hacking?We must know how an attack looks/feels like to detect it and to defend!

We need to know the vulnerabilities of our systems and networks

• locate bugs and configuration flaws • find access points for social engineering • critical behaviour of users and administrators

25

Thomas Kemmerich



Pentesting

• Pentesting is a subset of ethical hacking • Clear strategic measures to check systems and

networks • Tools • Exploiting Systems • Development of own tools • Vulnerabilities in new code (Software Security) • Standard user accounts


Thomas Kemmerich



Pentesting"Penetration testing can be defined as a legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure."

"A vulnerability assessment is the process of reviewing services and systems for potential security issues, whereas a penetrations test actually performs exploitation and POC (proof of concept) attacks to prove that a security issue exists."

27

Thomas Kemmerich



Types of Pentester/Hacker/ChrackerWhite Hat: good, a hero, focussing on securing and protecting IT-Systems and Networks

Black Hat: bad guy, breaking into networks and IT-Systems to steel, manipulate data and/or implant malware

Gray Hat: sometimes good but sometimes bad. Unclear skills lead to a criminal behaviour. Be always a White Hat!


Thomas Kemmerich



Types of TestingWhite box testing: access to all information incl. network diagrams, IT-Systems, versions of SW etc.

Black box testing: no knowledge about anything

Gray box testing: simulate an attack that could be carried out by an disgruntled, disaffected staff member

29

Thomas Kemmerich



Access to the Systems:Remote via Network Access (Internet): • Login services (VPNs, SSH, telecommuter, …) • Web-Applications • Wireless access • Remote Dial-InLocal: • Internal users / visitors (contract workers) • Physical access to the infrastructure • Wireless access • social Engineering


Thomas Kemmerich



Software Security:

How much sheets of paper do I need to print out the code of Android OS, 8pt?

31

Thomas Kemmerich



Typical Attack/Pentest Phases

• Reconnaissance • Scanning • Exploitation

- Privilege escalation • Maintaining access • Covering tracks and hiding

• Documentation


Thomas Kemmerich



Reconnaissance

33

Thomas Kemmerich



Reconnaissance

• Locate the target you want to penetrate

• Gather all available information:- IP-Addresses- Users- Servers- Services- E-mails- locations- persons- … Avoid direct contact with the target (scanning etc.)

Social EngineeringWeb research

Hidden investigation


Thomas Kemmerich



Ethical Hacking*

Reconnaissance - What are we interested in?

• Get an overview of the targetWith only normal usage of network resources

• Make internal pentesting infrastructure Preparation – lab – notes – report forms

• Setting the ground rules for testing Rules of engagement, contracts, ...

• Methodologies • Document all steps and write a report (form)

35

Thomas Kemmerich



Ethical Hacking*

Reconnaissance - What are we interested in?

• Get an overview of the targetWith only normal usage of network resources

• Make internal pentesting infrastructure Preparation – lab – notes – report forms

• Setting the ground rules for testing Rules of engagement, contracts, ...

• Methodologies

• Document all steps and write a report (form)


Thomas Kemmerich



Ethical Hacking*

I. Exercise:• You shall conduct a penetration test for a dedicated

WLAN setup for this BaSoTi course

• It is a blackbox test

• Describe all tasks and steps you are doing any test!

• Develop a form for the report

• What else do you need for the preparation

—> Make a short presentation of your plan

before

groups of 5 student

37

Thomas Kemmerich



Ethical Hacking*

I. Exercise:

• You should use:

The Open Source Security Testing Methodology Manual (http://www.isecom.org/research/osstmm.html)


Thomas Kemmerich



Ethical Hacking*

I. Exercise:• Define the target

• Develop an attack strategy- methodology?- how could you be undetected?- how to cover tracks?

• Define the tools you want to use

• Define the form of documentation

—> send the report by mail latest: 04. August, 0:00 pm (include the names of the group members!!!)

groups of 5 student

39

Thomas Kemmerich



Ib. Exercise:

• Install Kali Linux in a virtual machine (virtual box or VM), if not done yet (one installation per group)

• Start aircrack to monitor the airuse e.g. kismet to find out the SSID of the target network

• Find out the WPA pass phrase to connect to the WLAN

confirm with me that you connect to the right network!


Thomas Kemmerich



Next Lecture!

41

Thomas Kemmerich



Simple Reconnaissance

• Social Engineering • Caller ID spoofing • Physical break in

• Dumpster Diving


Thomas Kemmerich



Social Engineering

43

Thomas Kemmerich



Reconnaissance - Human interactionExploiting the weaknesses of the human element (in information systems) • By telephone:

Call support, “manager” calling lower employee, sysadmin calling —> remote access number / credentials

• Gaining trust

• Need of help (being helpless)

• Being very confident


Thomas Kemmerich



Reconnaissance - Caller ID spoofing• Internal number seems to be trustable • Setting up voice mailboxes

—> leave messages to an internal number

• Spoofing same caller ID as target—> often gains full access to voice mail or caller ID is password to voice mail box

Caller ID spoofing is simple using the most VoIP provider

45

Thomas Kemmerich



Reconnaissance - Physical Break In• Join a group of employees

• Visiting but not leaving (no badges required in the company)

• No screensaver with lock

• Information collection (post-it, USB-sticks, CD/DVD, Laptop, external HD, PCs

• leave access HW

• Backdoor opportunities(unprotected network access (ports), computer rooms, …

• fired employees are not hindered to access the company


Thomas Kemmerich



Reconnaissance - countermeasures against SE• User awareness (regular qualifications)

- Hacking demonstrations

• Authentication procedures for IT-Support (not only)

• Force to wear badges for access controlespecially for computer rooms

• screen saver with passwords

• Lock Down servers and computers (mobiles!?!)

• Encryption of all data

47

Thomas Kemmerich



Reconnaissance - countermeasures against SE• Avoid BYOD

• Clear procedures for processing old HW- Computers, Laptops, Mobiles, GPS, …- HDs, Memory-Sticks- Copy maschines- Network devices (routers, switches)

• Handling of paper and CDs/DVDs containing sensitive data —> shredding

btw: What are sensitive data?


Thomas Kemmerich



Reconnaissance - Gifts

Scatter 1000 infected USB

sticks on the parking place at

REMA1000 or of any company.

49

Thomas Kemmerich



Reconnaissance - Online Information• Searching for information

- Web sites - Search engines - Public databases - DNS informationRequired for a good start:- good internal mapping of the: * People (culture) * Infrastructure

More Details —> Ethical H

acking Cours at NTNU


Thomas Kemmerich



II. Exercise:

• Install Kali Linux in a virtual machine (virtual box or VM), if not done yet (one installation per group)

• Start aircrack to monitor the airuse e.g. kismet to find out the SSID of the target network

• Find out the WEP pass phrase to connect to the WLAN

confirm with me that you connect to the right network!

51

Thomas Kemmerich


BaSoTi 2016 - Tallinn

Questions?

52


Documents

0. introduction Hacking Information Security - uni … · Hacking Information Security ... • Pentesting is a subset of ethical hacking ... code of Android OS, 8pt? 31 Thomas Kemmerich