Objectives:
- Students will examine the targeted use of exploit tools.
- Students will examine issues with “standard” auditing practices.
- Students will evaluate the use of tools as targeted.
- Students will implement and examine tools.
- Students will determine issues with exploit tools bias and red teaming.
- Students will determine if exploit bias hinders or helps security of the network.
Directions:
Using the completed matrix of attacks you have created you should be able to with passive and active reconnaissance be able to choose an appropriate tool or exploit method to exploit a system on the first try. Unfortunately in penetration testing and red teaming there is often little incentive to exploit on a single attempt. The resulting behavior we see is much more a Mongolian horde descending on the network running every exploit known and really having little to no impact on securing the systems. In fact from previous labs you should realize that any auditor running NESSUS or other tools to audit security can in fact create security risks. If there is any point in the network that is open and could have a passive reconnaissance agent running auditors could decrease the security of the network by running tools. Worse some SCADA systems simply shut down in the face of significant scan attempts.
If then we want to direct an attack how do we do it? One way is to passive methods to harvest operating system information. Using that we can make best guesses at what is likely patched or protected and what is not protected. Using the matrix it is simply an act of subtraction to find likely candidates to attack with. In this way rather than Genghis Khan of the Internet the red team now are acting as snipers and spies sneaking in and getting the job done. There are a few benefits to doing this. The first best benefit is that if a passive agent or zombie on a computer is watching it is unlikely to notice substantial scanning and harvest results. There is also the benefit that SCADA and other embedded systems won’t fail as a secondary effect of scans. Finally, but not necessarily only, the technique shows that real systems knowledge overcomes script using auditors every time.
Your tasks are as follows:
1) Take three systems with differing operating systems and/or patch revision levels.
2) You will start out knowing basically what they are but develop a plan to gather from normal use through passive means the operating systems.
3) Using the known exploits and the likely candidates attempt to exploit the first system.
4) You must disclose how many attempts it took you to exploit the first system.
5) Like you did in lab five you can pick and choose your exploits carefully.
6) Refine your efforts taking into account all you know about the second system. Create a plan for exploiting it.
7) Attempt the exploit and you must disclose the number of attempts it took to exploit or how long until you quit.
8) On the third system go ahead and actively and aggressively evaluate the system through a tool like NESSUS.
9) Using the NESSUS tool report choose a reported exploit.
10) Attempt the exploit and you must disclose the number of attempts/exploits it takes to exploit the third system.
11) Depending on how honest you are and how much you recreate a real scenario for the situation your results will likely disclose an interesting result.
a. In some cases (operating system dependent and pen-tester dependent) the number of attempts between no-NESSUS and yes-NESSUS will be the same.
b. In some cases the number of attempts will be substantially lower for the planned exploit without NESSUS due to the false positives NESSUS sometimes provides.
c. In some cases you will notice that the normal NESSUS bias and tool bias of exploits suggests that the planned exploit has a much higher chance of working.
d. You should discuss in depth the results and the issues with the bias.
12) You should think about that bias in tools and exploits for certain sections of the OSI 7 Layer model and what that means for pen-testing and red-teaming. Discuss this in depth.
13) Finally you should think about and challenge the maxim that the lower that the exploited layer also exploits the layers above it in the OSI 7 Layer model. Is this true, false, or something and else and why? Discuss in depth.
Special Directions:
Students should provide a lab write up as per the syllabus and instructor directions.
Students should provide IN DEPTH answers to ALL the questions.
