Penetration Testing For A Final Exam

[mjones]

You can ignore the following backstory, but I added it for dramatic effect.

I am currently wrapping up my final Computer Forensics course here at school. Sadly I got stuck with a first year professor who doesnt know half of what she is talking about. She claims to have worked for a Fortune 50 company doing their network security, but her knowledge level is laughable for the job she used to have held. Students will commonly correct her on the basic facts about subjects, its almost offensive to my education. There are very few intelligent people in this class, its considered an easy minor, no wonder with professors like this, and a lot of Criminal Justice students latch onto it as well.

All of this being said,I've learned next to nothing from these Computer Forensics courses with her after a full year. So to cap off my year she decides to announce a live "computer hacking" competition of sorts. The major problem with this competition is the fact that there has never been any sort of lesson on network penetration or computer hacking in the general sense. The closest we got was a card trick that somehow simulated password cracking. She basically went "WELP this sounds fun" and assigned it. All we know about the competition is the class will be split in 2 groups, one on defense and the other on offense. I have no doubt there are only two people on the opposing team who could be potential threats but I am pretty confident I know some stuff in this area.

This type of work is what I'd like to do for a career so I'm making this assignment into a test of sorts for myself. ONCE AGAIN KEEP IN MIND WE HAVE BEEN TAUGHT ABSOLUTELY NOTHING INVOLVING NETWORK SECURITY OR PENETRATION TESTING. Everything here is stuff that I've either been taught, picked up over the years or have convinced myself to believe is true. Pick it apart, whats good, whats bad, whats flat out wrong.

The Setting:

Shitty PC's that barely boot.

Windows XP Service Pack 3

Every machine was built using the same image, they all have very little added aside from some shithead forensic tools we've never used

We're on our own network of about 15 machines

The following are the software I plan on putting to use and my strategy for both defending and attacking.

Defense:

Software:

Firewall - Really have no idea here, haven't used anything that was a specific "firewall" since ZoneAlarm back in 2006, would really be interested to hear some recommendations for a firewall.

Anti-Virus - Microsoft Security Essentials, these PC's are terrible, Pentium 4's with 512mb RAM, and need all the resources they can hold on to and I've always liked this software.

Miscellaneous:

Get all machines patched up to date, uninstall all unnecessary programs, shit like Adobe Reader/Flash, MSOffice, etc. Remove all Administrator accounts, basically try to leave as few things they could attack as possible. Generate a strong Windows password, wont do much for physical security but I assume it'd help network-wise. Lame as it is, BIOS passwords on all our machines, theyre padlocked so the jumpers cant be pulled.

Offense:

I cannot stress enough how little I formally know about this shit, so please help me better myself. I think of it as a simple 4-part attack attempt

1. Port Scan, identify the targets and recognize their open ports

2. Vulnerability Scan, scan the target IP's and discover known vulnerabilities the machines currently have.

3. Attack, use Metasploit to exploit the vulnerability and gain access to the users system.

4. Keep control, installing a backdoor to keep control of the system (this is optional)

Software:

nmap - Read a few books on the tool so I know a decent amount of what I'm doing with it, couldnt think of a better portscanner

Nessus - vulnerability scanner, again the most revered in its category I figured I couldnt go wrong, know little about the software though

Metasploit - I've been looking for a decent introduction to Metasploit for a long time but havent had much luck. I've messed with it a little bit but would definitely like a thorough introduction from the start. I know Metasploit is even considered to be script kiddy-esque but I'm not sure of a better starting point.

BACKUP PLAN:

I will have unmonitored access to this lab for hours at a time, and I highly doubt the other students would consider physical security of their machines or take advantage of us in the same way. I had considered placing trojans on the PC's and adding them to the "Ignored" section of the Anti-Virus, along with simply adding another Administrator account and giving it remote desktop access. I'd rather have this as a back up plan because of how lame it is, but if times get tough I will resort to high school tactics.

I'm basically wondering if this is an accurate strategy to be going into this type of thing with? Having you offer constructive criticism is something I'm looking for so please do. Have another place you visit where I could post this story and get some knowledgeable feedback, send that my way too.

[Infiltrator]

From a security point of view, I think you got most covered yourself.

Software:

Firewall - I would use Comodo, it has quite some nice security features up its sleeve, like host intrusion prevention.

Anti-Virus - I don't mind Microsoft Security Essentials, but I never had any good experience with it, so I would recommend Avast 6.0 instead it does really well in securing the system.

Miscellaneous:

1) Keeping the system up to date is very important, it not only reduces your chances of being exploited but Metasploit but it make your system more secure.

2) As you suggested, I would definitely uninstall any third party software, like Adobe, Quicktime or Java too. Making your computer less vulnerable is the key to keeping it secure.

3) This one is a very important one, strong, complex and long passwords is a must. It not only dramatically increases the brute force time frame but it will slow down the attacker, for this they will need massive amount of computational power to crack the password.

4) I would also disable USB ports on the computer, just in case they try to do USB attacks on you.

Offense:

1) Metasploit is very good for pen-testing, for finding weak security spots on the system. But you have to be aware that most attacks nowadays happens on the client side through browser attacks. For example, if an attacker wants to gain control of your PC, he/she could use social engineering to convince you to open an attachment, giving them access to your computer through a reverse shell.

2) Or an attacker could send you a link to a crafted website that has some kind of malware designed to penetrate into your computer, thus giving them control of your computer. So with that in mind, don't go clicking on links that you are not certain they are safe. If you have to use a Virtual machine, that way the infection is only contained to the VM itself.

Software:

Nmap

Nessus

Metasploit

These are great tools, however you could use Cain and Abel to do a bit of sniffing on the network to see if you can capture passwords.

Edited March 26, 2011 by Infiltrator

[digip]

I hope this school lab is not tied directly to the main school network. God forbid she had you all trying network scans with Nessus and Metasploit, and they started popping school computers in the main office or such. My concern would be to get the school involved if the teacher seems to be a hapless twit. Is this college or high school? If high school, get the parents involved and have this teacher reviewed by a 3rd party that can verify the material being taught because its our tax dollars at waste here. Even if college level, someone should have someone make sure this course is actually teaching you something, rather than having a teacher be corrected by students on basic things he/she should already know.

For the protection/attacks, do you know the patch level of these machines, are they current with all windows updates? And what services are running other than default windows services themselves? What 3rd party software is installed?

For defense, the first thing I would do, is go into services.msc and set disabled for "Server", "Computer Browser" services. This will limit SMB attacks for the most part and unless its strictly required for the class, disable them. This is also what you will want to try looking at to exploit since its all local network stuff, if the other team you are attacking has left these up, there are a number of attacks that can be used in Metasploit alone to attack SMB.

Domain logons require netbios, but if you are just using local machine logons and not part of a server tree/domain, then disable the TCP/IP Netbios helper service, and under the NIC settings disable Netbios over TCP/IP. If these machines logon to a domain, then you will have to leave the netbios service running though.

If you need to put something on these you can download for free as far as protection goes, Avast would probably be the norm. Paid full version of ZoneAlarm comes with Anti-virus now which uses Kaspersky for its underlying Anti-virus and is pretty decent. The nice thing about the full version of ZoneAlarm is you will be able to block specific port ranges such as those you can't close via winodws alone, such as 135-139 and 445. Some of them will be needed for the Domain logon though, so tread lightly what you block if you need to be able to do domain logins.

Use Sysinternals TCPview to monitor connections. You can do the same thing via a cmd window with the netstat command, but with TCPview, you can click the connections and close them as well. This will show all listening and connected sessions.

If you want to install some other free tools, Emet 2.0 is another tool from Microsoft which can help thwart buffer overflows and memory attacks that manage to get past DEP and ASLR(Address space layout randomization - which I don't even think is integrated in XP, only Vista, 7 and server 2008).

The last one I would suggest is IronGeeks mac address monitoring tool, which will help tell you if you are being attacked by a ARP Poison attack or MITM via arp spoofing, so if someone tries to MITM you for whatever reason you should be able to detect it. As an attack, you could also try a MITM with Cain, and see if it picks up any logins from the targeted machines. Just make sure you only ARP attack the IP of the students machines, and not the rest of the schools network.

These are by no means going to stop attacks or be full proof plans, but a good place to start. The other thing is, some of what you are going to be doing, is illegal if not used strictly in the lab for testing purposes. You start hitting machines on the school network other than those in the test, you run into legal issues, and the chance you get in trouble on many different levels. From what you have told us, if the teacher is really as bad as you say, there is the possibility that some of what you are doing might not be isolated to your school lab setup alone. Without full details, and knowledge of the setup, we can't help in that department. The other thought is, if this was all a ploy or social engineering us to get info on what things to try attacking someone, well, I really don't care, as you would be the one breaking the law and taking those risks, use at your own peril.

Edited March 26, 2011 by digip

[digip]

This can be deleted, posted twice.

Edited March 26, 2011 by digip

[Infiltrator]

Just adding to what Digip said about arp-poisoning.

These tools can help, alert and prevent arp-poisoning.

ArpWatch only alerts you of potential arp-poisoning.

ArpON alerts and block the attack.

[d1g1tal3nvy]

Just to add to what the other posts replied with:

Defensively speaking...

* File integrity checker (Tripwire)

* Firewall (Trend Internet Security has a pretty decent host-based firewall built-in to their AV)

* Shut down any unneeded Windows services (Blackviper)

* Custom hosts file? (meh)

Just my two cents....

[BD_G51]

You never really want to be waiting for anything or only doing one thing at a time. So, if you're scanning a machine with Nmap and see it's running a web server, go ahead and throw something like Nikto at it. The more info you obtain the higher your rate of success will be. If you pop a box don't let it sit there, use it! Use its cycles to crack passwords or maybe you might find something interesting you could use as a social engineering attack. If you get into a machine using a certain exploit, other machines may be vulnerable to the same attack if they're not working as a team and helping each other secure their systems. Use the lack of communication to your advantage :)

USB attacks are great. Drop a few USB drives with some value added features around and see what you get ;) Just be sure to inform your teammates :) Which is another thing, if you have a team, be sure to help each other and keep the communication flowing. Also, be sure to keep documentation ;) You'll definitely want the instructor to clarify the rules of engagement so you don't do something that gets you disqualified or something lame like that.

[BD_G51]

You never really want to be waiting for anything or only doing one thing at a time. So, if you're scanning a machine with Nmap and see it's running a web server, go ahead and throw something like Nikto at it. The more info you obtain the higher your rate of success will be. If you pop a box don't let it sit there, use it! Use its cycles to crack passwords or maybe you might find something interesting you could use as a social engineering attack. If you get into a machine using a certain exploit, other machines may be vulnerable to the same attack if they're not working as a team and helping each other secure their systems. Use the lack of communication to your advantage :)

USB attacks are great. Drop a few USB drives with some value added features around and see what you get ;) Just be sure to inform your teammates :) Which is another thing, if you have a team, be sure to help each other and keep the communication flowing. Also, be sure to keep documentation ;) You'll definitely want the instructor to clarify the rules of engagement so you don't do something that gets you disqualified or something lame like that.

[Guest leg3nd]

ArpWatch only alerts you of potential arp-poisoning.

ArpON alerts and block the attack.

ArpWatch is cool, Personally if I get suspicious about a bad SSL cert or a site thats HTTP and should be HTTPS, I just whip out some tcpdump with filters, traceroute, and route -n and take actions from there.

Little more crude but fun ;)

[Jamo]

If you havent used metasploit a lot I higly recommend using Arimitage, which is really easy and cool GUI for metasploit. There is a tutorial in one hak5 episode.