Penetrating a Network/System: An Offence & Defense Study Proposal Presentation for Secure Wired & Wireless Networks Project By Maneesh Venu Gopal 

Hacking?  Hacking is the unauthorized break in into computers/networks ...  Usually done by a bad guy (a.k.a Black Hat).  Its not magic. It has a methodology.  Many different Techniques (often change over time).  New vulnerabilities are found (therefore new attacks over time). 

Penetration Testing?  Testing the security of systems and architectures by a white hat from a hacker’s (a.k.a black hats) point of view.  A “simulated attack” with a predetermined goal.  Telling too many people may invalidate the test. 

Procedure  Same methodology  Same tools can be used  Ping, Tracert, Whois, Nslookup, Dig, many more …  External/Internal  External view (hacker)  Internal view (disgruntled employee) 

Methodology  Reconnaissance  Enumeration  Fingerprinting  Identification of Vulnerabilities  Attack  Exploit the Vulnerabilities  Wipe off Traces  Get out 

Access Points to Your Network  Internet gateways  Modems  Wireless networks  Physical entry  Social engineering 

Security Devices/Personnel  Firewalls  DMZ  Intrusion Detection Systems  Intrusion Prevention Systems  Anti Malware Apps  Administrators (who are monitoring)  Routers  Subnets  Access Control Lists 

Limitations  Not an alternative to other IT security measures.  It complements other tests.  Does not substitute other security measures.  Not a guarantee of security.  It’s only valid for the period tested. 

Lessons Learned / Benefits  Illustrates how a combination of factors can lead to a security breach.  Know the tools  COTS  Shareware/Freeware  Gets management’s attention.  Great educational opportunity for audit staff. 

References  Barnett, R. J. and Irwin, B. 2008. Towards a taxonomy of network scanning techniques. In Proceedings of the 2008 Annual Research Conference of the South African institute of Computer Scientists and information Technologists on IT Research in Developing Countries: Riding the Wave of Technology (Wilderness, South Africa, October 06 - 08, 2008). SAICSIT '08, vol. 338. ACM, New York, NY, 1-7.  Teo, L. 2000. Port Scans and Ping Sweeps Explained. Linux J. 2000, 80es (Nov. 2000), 2. 

Thank You! 

Questions?