Objectives:
- Students will examine methods of one way interaction with networks
- Students will develop strategies for penetration testing networks non-destructively
- Students will evaluate through implementation exploits of penetration technology
- Students will determine a process for examining passive exploits
- Students will implement exploit based penetration tools.
- Students will examine risks and vulnerabilities of unknown exploit tools.
Directions:
Part 1
Unlike active reconnaissance passive reconnaissance is done in such a way as to not be detected. Consider this the difference between spies and soldiers. One hides in plain sight and the other is easily identified by their uniform. In some cases the method to do this is as simple as hiding in temporal ways. Using time and the patience of the computer methods like the crippled caterpillar allow for a slow attack that might be detected but time keeps it from being so. Ethereal/Wireshark are common tools for this kind of exploit. Watching DHCP requests can expose extensive information.
For this section you should complete the grid as you’ve done before.
1. You will want to identify tools that do not participate on the network, or recreate the normal traffic on the network without giving away their use. The number of tools should be extensive. You already have a number of tools you can pull from but you are now categorizing them as either passive or active reconnaissance.
2. Identify tools that are able to recreate the packet stream passively.
3. Ask the question how can you slow down a script or tool. Then ask if the tools would be harder or easier to detect if they took hours instead of mili-seconds to do their job. Is this passive?
Part 2A
Using the passive and active tools an interesting intersection occurs between the use of the different tools. A meta-exploit becomes possible. Or, put another way an exploit of an exploit is possible. Take the various tools and mix them. If for example NESSUS is being run on the network is it possible using other passive tools to watch the telemetry and gain the knowledge from NESSUS as it runs on the network?
1) Run NESSUS and NMAP between two machines with one being the scanner and the other scanned.
2) NESSUS tests for a approximately 1000 types of vulnerabilities can that allow you to sieve the information quicker?
3) If you put the NESSUS exploits into a grid like we have been doing do you think any patterns would emerge?
4) NESSUS and NMAP have particular biases towards operating systems that they test. Can you identify those biases by simple numbers? Is there a methodology for deriving that bias?
5) On a third machine use Ethereal/Wireshark/DSNiff or other tools that would be appropriate (part of the task is to determine what is appropriate) to reconstruct the sequence of probes from the active tool.
6) Describe in detail the method and strategy used to test this structure.
7) What can you ascertain? What can you use this for?
8) Discuss in depth the results (should be extensive!).
Part 2B
A common if little known attack is the use of the tools against the adversary. In the past there have been many occasions where penetration tools from either the open source community or others have been themselves attack tools. Your task is to identify some of these tools and how they were made to be hostile. You should develop strategies to insure the tools you wish to use are not infected or exploited before you use them.
1) Create a set of case studies based on research of network penetration tools that have been exploited.
2) Create if possible common patterns or issues between them.
3) Determine possible ways to insure the tools are not hostile that you are using.
4) Examine the process of source code auditing as a strategy to protect against this threat. Is this viable in an enterprise environment?
5) What are the specific risks to the enterprise of using untested or exploited tools in penetration testing?
Special Directions:
Follow the directions in the syllabus.
Be sure and explain in depth your methodology.
