Penetration Lab

Penetration Lab




⚡ ALL INFORMATION CLICK HERE 👈🏻👈🏻👈🏻

































Penetration Lab
URL: https://www.sciencedirect.com/science/article/pii/B9781597494250000099
URL: https://www.sciencedirect.com/science/article/pii/B9781597499934000033
URL: https://www.sciencedirect.com/science/article/pii/B9780128021491000105
URL: https://www.sciencedirect.com/science/article/pii/B9781597494250000233
URL: https://www.sciencedirect.com/science/article/pii/B9781597494250000087
URL: https://www.sciencedirect.com/science/article/pii/B9780128021491000208
URL: https://www.sciencedirect.com/science/article/pii/B9781597496278100157
URL: https://www.sciencedirect.com/science/article/pii/B9781597499934000057
URL: https://www.sciencedirect.com/science/article/pii/B9781597494250000051
URL: https://www.sciencedirect.com/science/article/pii/B9781597494250000178
There are three publicly available De-ICE LiveCDs included on the accompanying DVD. Each of them has a different scenario, and requires different skills to solve. The easier challenges are the 1.100 and 1.110 scenarios, whereas the more difficult scenario is 2.100.
This LiveCD is configured with an Internet Protocol (IP) address of 192.168.1.100 – no additional configuration of the server is necessary. The scenario for this LiveCD is that a chief executive officer (CEO) of a small company has been pressured by the board of directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities (using Nessus). To make the board of directors happy, he decides to hire you for a 5-day job; because he really doesn't believe the company is insecure, he has contracted you to look at only one server – an old system that only has a Web-based list of the company's contact information.
The CEO expects you to prove that the system administrators follow all proper accepted security practices, and that you will not be able to obtain access to the box.
The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values:
Dynamic Host Configuration Protocol (DHCP) Server: active
Local Area Network Transmission Control Protocol/Internet Protocol (LAN TCP/IP):
Most people when they set up the PenTest lab with the De-ICE disks will try to “ping” the system to see if everything is configured properly. Some real-world systems are intentionally configured to ignore ping requests. Do not assume something is wrong with the lab setup, simply because the server is not responding to a ping.
In Figure 5.1 , I am using a wireless router and a laptop for the lab configuration used throughout Part II of this book. Although I have found this to be the most convenient setup for my own personal use, the wireless router can certainly be replaced with a wired router, and the laptop can be replaced with a desktop.
Figure 5.1 is a graphic representation of the penetration test lab with the proper configuration for each device.
FIGURE 5.1 . PenTest Lab Configuration for De-ICE 1.100 LiveCD
This LiveCD is configured with an IP address of 192.168.1.110 – no configuration of the server is necessary. The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail in any further penetration attempts. This system is an ftp server used by the network administrator team to create/reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information but has been sanitized (as opposed to rebuilt).
The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the same values as found in disk 1.100. Figure 5.2 is a graphic representation of the penetration test lab with the proper configuration for each device.
FIGURE 5.2 . PenTest Lab Configuration for De-ICE 1.110 LiveCD
This LiveCD is configured with an IP address of 192.168.2.100 – no configuration of the server is necessary. The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency of previous (or current) staff.
The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values and is a bit different than the 1.100 and 1.110 disks:
Figure 5.3 is a graphic representation of the penetration test lab with the proper configuration for each device.
FIGURE 5.3 . PenTest Lab Configuration for De-ICE 1.110 LiveCD
A penetration test lab may include wireless access points to provide the pentest engineers an environment to test wireless hacking techniques. In cases where wireless access points are desired, it is important to secure systems within the lab, since access to wireless signals extend beyond walls and floors. To protect systems from unauthorized access, two separate labs should be created—a wireless lab designed to practice wireless hacking and a separate lab that can be used to conduct system attacks. The wireless lab should only be used to train on wireless hacking techniques or to perform tests on custom configurations.
In those situations where there are multiple wireless access points in the vicinity of your wireless lab, utmost care is required to make sure access to the lab’s wireless network is controlled, using strong encryption and strong authentication methods, at a minimum. Current technology, such as Wi-Fi Protected Access, should be standard practice in setting up and running a wireless penetration test lab. Strong security and an isolated wireless network not only protect the data within the penetration test lab, but it also protects anyone accidentally connecting to the lab, especially in those instances where viruses, worms, or botnets are being used for testing purposes.
Although these are by no means the only security concerns within a lab, they are important to understand and implement as appropriate. As a side benefit, by implementing encryption solutions within our own lab environment, we develop additional skills in understanding how these same encryption solutions may be employed at our clients’ sites.
The external penetration test lab follows the principle of “defense in depth.” You must make sure you build an external penetration test lab to reflect this concept. That means you need to include a firewall as a bare minimum. Designed to keep the bad guys out, a firewall can be a difficult boundary to get past. However, as with most things in life, there are exceptions. Often, it becomes necessary for firewall administrators to create gaps in the firewall, allowing traffic to enter and leave the network unfettered. There is usually a business reason for having the hole opened, but sometimes holes are left open by accident, or because there is an expectation of future need.
In external penetration tests, the object is to see whether there is a way to penetrate past various obstacles in the network and gain access to a system behind these defenses. This is a much more difficult scenario, but one that you need to practice mostly because, even though it is difficult, it is still possible to achieve and knowing how to achieve this will give you the ability to prevent it in the future.
Other defenses include the use of a Demilitarized Zone (DMZ), proxies, the Network Address Translation (NAT) mechanism, network intrusion detection systems, and more. Naturally, the more defenses you include in this lab, the closer you get to mimicking real-world corporate networks.
Although this type of network is very realistic, it can also be the most daunting for the uninitiated. For those penetration test teams that have access to network design architects, it would be extremely beneficial to solicit their advice before building this type of lab.
A professional penetration test lab used to identify and exploit zero-day vulnerabilities will have different archival requirements than labs used to identify and exploit publicly available vulnerabilities.
If we are archiving a virtual machine, we can simply save the current state of the system with little hassle.
If we are running in a nonvirtual system, we may need to archive the entire system since we cannot be sure what the malware modified.
Before we create any virtual machines or ghost images, licensing issues needs to be included in decisions on how to archive our lab.
Virtual images can be returned to their original state in a matter of minutes, whereas ghost images take significantly longer time to revert.
Many of the more advanced malware will try and detect the system environment before execution, and not run in virtual machines; the use of ghost images saves time that would have been spent rebuilding systems in a malware analysis lab.
If we do not properly sanitize a lab at the conclusion of a penetration test, we may have residual, sensitive client information on our systems.
It is difficult to distinguish one virtual or ghost image from another; if we use server images, we need to generate our own hash values and add them to our list of hashes used in the penetration test lab .
This chapter discusses some of the general concepts surrounding penetration test labs (PenTest labs), and how to set up different PenTest labs. The primary purpose of personal labs is for education, which can be used to recreate exploitations against both proprietary and Open Source software and Operating Systems. Corporate labs, however, are used to identify system vulnerabilities within internal and external networks. Cost is usually a driver in trying to keep personal labs small and manageable. Unless there is a need to include a lot of equipment, labs can reside on a single system using virtual machine applications. Open Source software is often sufficient in personal labs to learn hacking techniques, including system, application, database, and Web attacks, unless there is a need to obtain proprietary software. The exact architecture surrounding PenTest systems in a corporate lab will differ depending on the business needs of the company, and sensitivity of the data collected during a penetration test. The purpose behind internal penetration tests is to identify vulnerabilities that are susceptible to attack from the “insider threat.” In external PenTest projects, the objective is to identify ways to penetrate past various obstacles (such as firewalls and intrusion detection systems) in the network and gaining access to systems behind these defenses. All applications and software downloaded for use in a PenTest lab should be verified using a hash function to protect the PenTest assets and client information.
As a penetration tester, you need a lab to perform some types of testing as well as perfecting your own skills. In the chapter, we talk about penetration test labs , what they are comprised of, and how to build them. Safety is a primary topic in the chapter as well due to the potential dangers around having an insecure penetration test lab. A number of tools associated with penetration test labs will be discussed as well as technologies such as virtualization which can help reduce the cost of building a lab. By the end of the chapter, you should be able to build your own safe penetration test lab and master the tools that have been covered throughout this book.
As a penetration tester, you need a lab to perform some types of testing as well as perfecting your own skills. In Chapter 10, we talk about penetration test labs , what they are comprised of, and how to build them. Safety is a primary topic in this chapter as well due to the potential dangers around having an insecure penetration test lab. A number of tools associated with penetration test labs will be discussed as well as technologies such as virtualization which can help reduce the cost of building a lab. By the end of this chapter, you should be able to build your own safe penetration test lab and master the tools that have been covered throughout this book.
At the end of a penetration test, we need to make sure that there is no residual data left behind that may affect the next penetration test. If we rebuild all systems from the ground up, we should theoretically have a clean environment; however, even when we rebuild our system using installation and patch disks, we must make sure that we have a “clean shop,” in case we run into a penetration test where we may need to prove sound procedures (such as the discovery of illegal activities, research, or malware analysis).
If we are not conducting research or malware analysis, we may still need to make sure everything in the lab is sanitized of old data. If we used the lab in the course of a professional penetration test, we may have client information that is sensitive on our systems. This could be in the form of network appliance configurations, Internet Protocol addresses, and applications used by the client; all this information could benefit a malicious user in trying to understand our client’s network. By making sure that our lab is “clean,” we protect ourselves and our clients.
When we sanitize target systems, we need to concern ourselves with many components including hard drives, system memory, and (theoretically) the basic input/output system (BIOS), depending on why we use the penetration test lab . The hard drives could contain numerous points of customer data and should be wiped before reuse. The safest way to remove data from any nonvolatile storage device is to overwrite the data. One such Open Source tool is DBAN, available at www.dban.org , which is a boot disk that will wipe any hard drive found on a system. On our copy of BackTrack is an application called shred, which will overwrite any file or the entire hard drive if desired.
It is easy to inadvertently delete the wrong data on a system, resulting in a complete system crash (trust me … I’m talking from personal experience). Be very careful when destroying any file, and have a backup of critical data.
Figure 5.17 is the output of shred’s help file. The warning should be noted, since it may impact the ability to properly destroy a file—shred may not work in some file systems. There are other alternatives to shred, including some commercial utilities; however, shred will work in most cases.
In Figure 5.18 , we launch shred and target the /tmp/netcat/output file on the Hackerdemia LiveCD. We could launch shred against the entire local hard drive if we preferred, ensuring all our lab data is destroyed. In our example using shred, we will only tell the application to write over the file three times, simply to save time; however, we could use the default (25) or a higher number if we are sufficiently paranoid.
Figure 5.18 . Launching shred on/tmp/netcat/output file.
A good source for ideas on how to sanitize digital media can be found at the National Institute of Standards and Technology’s (NIST) Computer Security Division. Special Publication 800-88 provides guidelines on sanitizing data and can be found at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf .
If we examine the /tmp/netcat/output_file before using shred (as seen in Figure 5.18 ), we see that the file size is 17 bytes and contains a single line—“File to download.” Once we run shred, the file size changes to 4094 bytes, and the file contains random data. The difference in final size is related to disk design and sector size. To ensure that all data is destroyed, all sectors containing the file data are sanitized.
System memory can contain malicious applications, such as backdoor agents. When we use some pentesting tools that reside in memory (like CORE IMPACT’s or Metasploit shells), we are able to exploit vulnerabilities and inject shell accounts into memory. The shell applications would remain in memory as long as the system remains running. If we rebooted the system, the application would go away.
Clearing system memory is pretty straightforward since a reboot will accomplish our need for a clean environment. The only complexity is when a reboot should be launched. If a malicious application is launched into memory at bootup, we need to make sure all the files on a system are sanitized before reboot; otherwise, we will simply reinfect the system with the malware. The best way to ensure complete sanitization is full-disk wipes, which will prevent reinfection. Other than a complete sanitization, we may need to do some forensic analysis to determine if our systems are clean. The effort we are willing to put into determining the infection state of a system depends on what we are doing in the lab; we may not do much work sanitizing a system if we don’t use malware.
When using malware in a penetration test lab , we need to be careful when removing the malicious application. Malware will often include methods for reinfecting the host, in case the code is detected. Be sure to follow removal instructions (found at many different virus-scanning software developers) when trying to uninstall any imported malware.
There are some examples of BIOS malware, which can inject code into our lab systems. Current advances in BIOS hacks involve injecting code into the BIOS, which effectively makes the system inoperable. Although losing a system to a BIOS attack would be inconvenient at best, right now we don’t have to worry about clearing the system BIOS. It is possible that in the future, we may need to worry about BIOS data; however, vendors have made BIOS updates convenient and might be something that becomes a regular procedure when sanitizing lab systems.
Once we have removed all the data on our systems and begin to rebuild, we need to ensure that we are using vendor-provided applications and OSes before proceeding. In Chapter 4 , we discussed the use of hashes in validating our installation disks and applications used in our lab, and we will need to continue the process of file validation once we have sanitized our systems and begin to rebuild.
However, what about virtual and ghost images that we create? We can generate our own hash values using MD5 and add them to our list of hashes used in the penetration test lab . It is difficult to distinguish one virtual or ghost image from another. To provide some level of assurance, a method must be in place that allows pentest engineers to clearly identify one image from another.
If the lab was used to analyze malware, we may want to create hashes of system applications and compare the hash value to its original value. By comparing the new and original hash values, we can detect any file modifications that we may not have identified during the course of our investigation.
If the malware installs a rootkit, we cannot rely on the hash values to be accurate. Rootkits may intercept our hash request and respond with incorrect data, in the hope that we do not detect the presence of the rootkit.
Things tend to change—applications are updated and OSes are patched. When a lab is cleaned up for the next round of tests, it may not be necessary to completely sanitize a system. In fact, the amount of work cleaning a lab should be relative to what activity we plan for the lab—it doesn’t make sense to delete all contents of a hard drive if we only modified a coup
Dildo Masturbating Hd
Nasty 2
Porno Solo Ass

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org