Sql injection pen_test_07_2011_teasers
Upcoming SlideShare
Loading in...5
×
 

Sql injection pen_test_07_2011_teasers

on

  • 562 views

 

Statistics

Views

Total Views
562
Views on SlideShare
562
Embed Views
0

Actions

Likes
0
Downloads
25
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Sql injection pen_test_07_2011_teasers Sql injection pen_test_07_2011_teasers Document Transcript

  • 07/2011 (7) November
  • EDITOR’S NOTE 07/2011 (07) Halloween injected! The masquerade is on. Therefore, we’ve decided to bring you a little longer edition of PenTest. This time 61 pages about SQL Injection, Fuzzing and other interesting stuff. Let’s than have a closer look at what we have prepared for you in November’s edition. We’re starting with the main topic – SQL Injection. Two articles, but altogether 16 pages describing practical side of this technique. First one, written by Sow Ching Shiong, focuses on using Open Source and Free Tools for both TEAM Windows and Linux. Second one, whose author is Christopher Payne, will show you how to “inject your way to success”. The Managing Editor: Maciej Kozuszek maciej.kozuszek@software.com.pl author starts with a simple example of sql injection, describes it’s various types and ends the article writing about defending Associate Editor: Shane MacDougall shane@tacticalintelligence.org against sql injection. This is injection of a really large dose of Betatesters / Proofreaders: Davide Quarta, Rishi Narang, knowledge. See for yourself! Scott Christie, Ed Werzyn, Jeff Weaver, Aidan Carty In the next section of this issue we’ve decided to continue the Fuzzing topic, as it occurred to be much broader field Senior Consultant/Publisher: Paweł Marciniak than we thought. Here, you will find three papers written by: CEO: Ewa Dudzic Mrityunjay Gautam, Jose Selvi, and Sagar Chandrashekar. ewa.dudzic@software.com.pl The first one is devoted to the theory of fuzzing, but also gives us some insight in some fuzzing tools, so it’s a great Art Director: Ireneusz Pogroszewski introduction into two another articles. In the second one Jose ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski is bringing us some useful information about not so popular fuzzing tool called Sulley. And the last one is a thorough Production Director: Andrzej Kuca description of another tool called WebScarab. andrzej.kuca@software.com.pl If you’ll jump to a page No 38, you’ll find yourself in third Front page photo by: www.scribbletime.com section, Focus. This section is a continuation of a huge Publisher: Software Press Sp. z o.o. SK article by Jonathan Brossard, where he describes a tool 02-682 Warszawa, ul. Bokserska 1 called Pmcma (Post Memory Corruption Memory Analysis). Phone: 1 917 338 3631 www.pentestmag.com This one is aimed especially in those interested in reverse engineering. Whilst every effort has been made to ensure the high quality of The next article called Maximizing the Value of Pentesting the magazine, the editors make no warranty, express or implied, is obligatory for all those who work in IT Security business, concerning the results of content usage. All trade marks presented in the magazine were used only for and especially for those conducting any forms of penetration informative purposes. tests or vulnerability assesments. This piece is a great talk about the quality of services in this business, and how should they be improved. Finally at the end of this issue you will find an interview with Dean Bushmiller, professional with a great experience and not All rights to trade marks presented in the magazine are a lesser knowledge. reserved by the companies which own them. To create graphs and diagrams we used program Unfortunately this time our collumnist Shane McDougall by couldn’t provide us with the article due to the unforeseen circumstances. His articles will surely appear in the future issues. Mathematical formulas created by Design Science MathType™ We hope, you will find this issue of PenTest compelling and worthful. DISCLAIMER! The techniques described in our articles may only Thank you all for your great support and invaluable help. be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss. Enjoy reading! Maciej Kozuszek & PenTest Team07/2011 (7) November Page 3 http://pentestmag.com
  • CONTENTSSQL INJECTION WebScarab is a framework maintained by OWASP. It helps security engineers, developers to identify vulnerabilities SQL Injection Pen-Testing06 and bugs in web applications. It is written in Java, and is by Sow Ching Shiong thus portable to many platforms. The author focuses onSQL Injection is an attack in which the attacker describing how does the WebScarab Tool work like.manipulates input parameters which directly affectan SQL statement. This usually occurs when no input FOCUSsanitisation is conducted. Depending on permissions, an Introduction to exploit automation 38attacker may be able to read database contents or evenwrite to the database. In this article, the author will show with Pmcma, Part IIyou how to perform SQL injection pen-testing using open by Jonathan Brossardsource and free tools available for Windows and Linux. This year a tool called Pmcma (Post Memory Corruption Memory Analysis) was released at the Blackhat US security SQL Injection: Inject Your Way to16 conference. The following article is an introduction Success to Pmcma. The second part of the article describes by Christopher Payne pmcma.c implementation, focusing on attacking functionDatabases are the backbone of most commercial websites pointers, simulating arbitrary reads, detecting unalignedon the internet today. They store the data that is delivered memory accesses and finally automating analysis andto website visitors (including customers, suppliers, exploitation scenarios. The author made a serious effortsemployees, and business partners). Backend databases to provide you all the details concerning this tool, thatcontain lots of juicy information that an attacker may be you might need.interested in. Here the author makes a great introductioninto the art of SQL Injection. STANDARDFUZZING Maximizing Value in Penetration 50 Testing Fuzzing for Free by Ed Skoudis24 by Mrityunjay Gautam The penetration testing business faces a great danger asAs a developer working on a product release, we tend more and more people jump into the field offering veryto re-use most of the legacy code from the previous low-value penetration tests that are little better than anrelease and then work on the new features and bug-fixes automated vulnerability scan. In this article, we’ll discussonly. As a QA resource, we would be using the same how to conduct your tests and write up results so that“conformance test suite” or the same “stress test suite” they can provide significant business value to the targetto ensure that the new builds are working as expected. In organization. The author will surely convince you thatthis article the author gives us the good insight into the the quality of your services is what really matters in thistheory of the art of fuzzing. business. Fuzzing With Sulley INTERVIEW28 by Jose Selvi Interview with Dean Bushmiller 56Can you write a simple python script? Can you understanda network protocol and describe it using a simple object by Aby Raoset? If so, you can find your own 0-day vulnerabilities! Dean currently consults on information assurance andIn this article we are going to describe how we can use operational security. Proving insecurity by penetrationSulley Fuzzing Framework with a real vulnerable FTP testing is a natural part of consulting. He focuses onServer. As it is mentioned above, the author presents you converting the business philosophy of „security is anhow to use the Sulley Tool. obstacle” to „security is a money maker”. He has served on 6 beta testing teams. He is the subject matter expert Fuzzing With WebScarab32 on the 10 domains of the CISSP official curriculum. In this by Sagar Chandrashekar interview Aby talks with Dean about his career, coursesIn order to follow along with the fuzzing exercises in he’s leading and his statement about today’s securitythis article, you will need a fuzzer and fuzzing target. business condition.WebScarab will be our fuzzer and WebGoat webapplication is our target. WebScarab and WebGoat canbe installed on both Linux and Windows machines. 07/2011 (7) November Page 4 http://pentestmag.com View slide
  • 07/2011 (7) November View slide
  • SQL INJECTIONSQL Injection Pen-Testingusing Open Source and Free ToolsSQL Injection is an attack in which the attacker manipulates inputparameters which directly affect an SQL statement. This usuallyoccurs when no input sanitisation is conducted. Depending onpermissions, an attacker may be able to read database contents oreven write to the database.I n this article, the author will show you how to perform The program is able to identify error and Boolean- SQL injection pen-testing using open source and based SQL injection problems, as well as uncovering free tools available for Windows and Linux.SQL Injection Tools for WindowsNetsparker community edition is a powerful webapplication vulnerability scanner, which can detect andreport potential website security problems and allowyou to resolve them before they are used by hackers. Figure 3. Netsparker community edition successfully obtained the version of back-end databaseFigure 1. Netsparker community edition main screenFigure 2. Netsparker community edition scan results Figure 4. Havij free version main screen 07/2011 (7) November Page 6 http://pentestmag.com
  • SQL INJECTIONSQL Injection: InjectYour Way to SuccessSELECT * FROM winners WHERE pentester = ‘YOU’ or 1=1--’SQL Injection is one of the many web attack mechanisms usedby hackers to steal data from organizations. SQL Injection is oneof the most common vulnerabilities in web applications today.It is (as of the time of writing) ranked as the top web applicationsecurity risk by OWASP[1].D atabases are the backbone of most commercial a myriad of user submit able forms and the delivery of websites on the internet today. They store dynamic web content. Many of these features users take the data that is delivered to website visitors for granted and demand in modern websites to provide(including customers, suppliers, employees, and businesses with the ability to communicate customers.business partners). Backend databases contain lots These website features are may be susceptible to SQLof juicy information that an attacker may be interested Injection attacks and are good place to start during ain. Data such as: User credentials, PII, PII, confidential pentest engagement that includes a web applicationcompany information, and anything other data that a testing component.legitimate user may need access to through a webportal. At its most basic form, web applications allow A Simple SQL Injection Examplelegitimate website visitors to submit and retrieve Take a simple login page where a legitimate user woulddata over the Internet using nothing more than a enter his username and password combination to enterweb browser which allow the internet to be the giant a secure area to view his personal details or upload hisconsumer market that it is. comments in a forum. SQL Injection is the attack technique which When the legitimate user submits their information,attempts to pass SQL commands through a web a SQL query is generated from this information andapplication for execution by the backend database. submitted to the database for verification. The webIf not sanitized properly, web applications may result application in question that controls authenticationin SQL Injection attacks that allow hackers to view will communicate with the backend database throughor modify information from the database. The attack a series of commands to verify the username andtries to convince the application to run SQL code password combination that was submitted. Oncethat will result in access that was not intended by verified, the legitimate user should be granted thethe application developers. The attacker uses SQL appropriate access for their account to the webqueries and creativity to bypass typical controls that application.have been put in place. Through SQL Injection, the attacker may input Common web application features introduce the SQL specifically crafted SQL commands with the intent ofinjection attack vector. These features include login bypassing the login form authentication mechanism.pages, search pages, e-commerce checkout systems, This is only possible if the inputs are not properly 07/2011 (7) November Page 16 http://pentestmag.com
  • 07/2011 (7) November Page
  • FUZZINGFuzzing for FreeState of Art and Upcoming ResearchAs a developer working on a product release, we tend to re-usemost of the legacy code from the previous release and then workon the new features and bug-fixes only. As a QA resource, wewould be using the same “conformance test suite” or the same“stress test suite” to ensure that the new builds are working asexpected.B ut what troubles us the most is that some researchers. Here, in this article, we would discuss some security researcher (or hacker, as some of state of the art open source tools which can be used for us prefer to call them) sends an email to your fuzzing networks, files and activeX controls.security response team telling about an exploitable Fuzzing is one of the most commonly used techniquesbuffer overflow in your product. for identifying security flaws in any application. The entry Some of us think that the researcher actually reversed points for user controlled or tainted data is identified inengineered the code to find this issue; or he has access the application. These are files, registry entries, emails,to some very specialized hardware and software to spot network sockets, activex controls, dll, etc, typically thethese issues. The reality is far more simple and cost- places where any attacker controlled data can entereffective. In this article, we would talk about a few open into the system and the application starts processing it.source tools which are used by security researchers to Fuzzers typically have a stored dictionary of strings andspot vulnerabilities in our products even if they have integers which it uses at appropriate places iteratively. Ifzero or a very minimal knowledge of the product. the fuzzer identifies some part of the input as a variable string, it would try all possible values of strings from itsIntroduction dictionary and further mutations of these strings. TheseWith companies like ZDI out there in the market to pay strings typically target standard vulnerability classesfor every vulnerability you find, the motivation to work like buffer overflow, format string vulnerability, directoryin security research has gone exponentially high in the traversal, sql injection, xss injections, command injections,last few years. The model of payment by ZDI and many etc. All of these can be grouped as implementation levelsimilar companies is that, if you disclose an exploitable flaws only. Another class of vulnerability is design levelvulnerability to ZDI with its proof of concept (PoC), you get vulnerability. If there is a design flaw in a network protocolpaid anything from 5000 USD to 40000 USD depending which allows for a man-in-the-middle attack, it can neveron the width of deployment of the product targeted and be detected by a fuzzer. Hence, by definition, fuzzers arethe severity of the issue. Hence, if you can compromise intended to target implementation level flaws only.a machine by exploiting some product on it from thenetwork, the money you get it quite decent. Hence, Network Fuzzersthe general interest in identifying network, file and web One commonly targeted attack surface is networkbased vulnerabilities is consistently growing amongst the protocols. In the industry, we either have implementation for 07/2011 (7) November Page 24 http://pentestmag.com
  • FUZZINGFuzzing With SulleyCan you write a simple python script? Can you understand anetwork protocol and describe it using a simple object set? If so,you can find your own 0-day vulnerabilities!In this article we are going to describe how we can use SulleyFuzzing Framework with a real vulnerable FTP Server. Check it, tryit on your own software, and... enjoy, of course.F uzzing is a technique used in software security Sulley provides the tester with a... powerful framework testing in which lots and lots of abnormal input where he can describe, using a simple grammar, the data are sent to the software, in order to produce protocol to fuzz, and then the framework generates aerrors in normal software operation. complete set of tests based on mutations of the given Since a software error is usually a potential security grammar. Each test of this set is checked againstthreat, Fuzzing is a great technique to detect security the fuzzed software, while other components of theflaws. Fuzzing is usually used by attackers in order to framework are monitoring all processes and networkdiscover unknown vulnerabilities, but also can be used events related with each test.by security staff or software deverlopers, in order to test When an abnormal response happens, Sulleytheir software strenght against this kind of attacks. Framework stores all data related to the crash, so the tester has all the information regarding the CPU registers, stack,Sulley Fuzzing Framework network, and much more. It can be very useful in order toSulley is an Open Source project, written in Python, that understand the weakness and correct (or exploit) it.try to be a new standard in fuzzing software.Figure 1. Sulley from Monsters Inc. Figure 2. Sulley Architecture 07/2011 (7) November Page 28 http://pentestmag.com
  • FUZZINGFuzzing withWebScarabAlthough there are ample techniques to identify vulnerabilitiesin software, fuzzing is the best technique as it is cost effectiveand enhances software security as it often finds odd lapses andvulnerabilities through automated or semi-automated processfollowed by manual expert reviews.F uzzing is all about finding vulnerabilities or errors There are different fuzzing methods depending on how in applications, operating systems and networks the fuzzer is used depending on the input parameters. by injecting large amount of arbitrary data, calledfuzz. A Fuzzer is a tool which successively picks a Session Fuzzingvalue from a fuzz template to replace user-specified Session fuzzing involves analysis of valid sessions ofparameters in a request sent to the server. Response the application or the server. During fuzzing, preferredfrom the server is manually reviewed to identify parameters or parts of the session are altered and sentvulnerabilities or errors. to the server or application. Since this method enables fuzzer tool to change data that already exists, it isIntroduction To Fuzzing possible that the application will go into an uncertainWhy fuzzing? Where does it fit? What are its state which results in a security vulnerability.limitations? Example: Incrementing session ids of a web Vulnerability scanners are imprudent; they discover application.known security issues and other low hanging fruit.Fuzzing along with penetration testing covers this gap Explicit Fuzzingand discovers unknown vulnerabilities. Fuzzing is one Explicit fuzzing involves building of specific fuzzingof the techniques for automating security assessment. tools for specific applications or servers. It is possible to enumerate the target which may go into an uncertainFuzzing Overview And Requirements state which results in a security vulnerability.Fuzzing enables security engineers, developers and Example: Fuzzing FTP server with FTP Fuzzers.testers to locate defects, errors, and vulnerabilitiesproduced by abnormal values via user inputs. Fuzzing Generic Fuzzingcovers the vital attack surfaces in a system fairly well, Generic fuzzing involves tool analysis to identifyidentifies many common errors, probable vulnerabilities vulnerabilities on array of protocols, but they are not asquickly and economically. Fuzzing is useful in evaluating efficient as explicit fuzzing. Generic fuzzing involves lotblack box systems, as it does not involve any access to of manual inputs from the users and only experiencedsource code and can be performed without knowing the users can able to use these types of tools.inner mechanism of the target system. Example: Protocols Fuzzing Tools such as Spike 07/2011 (7) November Page 32 http://pentestmag.com
  • FOCUSIntroduction toExploit Automation With Pmcma (Part II)Earlier this year, we released a tool called Pmcma (Post MemoryCorruption Memory Analysis) at the Blackhat US securityconference. The tool is available free and open-source at http://www.pmcma.org/ under the Apache 2.0 license. The followingarticle is an introduction to Pmcma. In addition advanced readerscan refer to the full Blackhat whitepaper mirrored on the Pmcmawebsite[0].T he second part of the article describes pmcma.c write condition), and an other (either the process exit, or implementation, focusing on attacking function the return to this very same instruction in case of loops). pointers, simulating arbitrary reads, detecting To detect those, we’re going to use the mk_fork()unaligned memory accesses and finally automating technique. The algorithm is as follows: see Listing 3.analysis and exploitation scenarios. To the best of my knowledge, this is the first proposed technique to exhaustively enumerate all the functionAttacking Function Pointers pointers inside a process between two points in time.Now that we have a way to experiment on various By default, pmcma uses the valid 0xf1f2f3f4 as amodifications of a given process’ and address space, remarkable value, which is obviously never correct fromhow do we find function pointers? Well, let’s get back userland, and is quite remarkable, hence limiting falseto the definition of a function pointer... It is a variable, positives. This value can be changed from the commandhence in a writable section, which points to a function. line. Let’s see how this would work inside pmcma on aThe majority of times a function starts with a standard simple example, by listing the function pointers from aepilogue. And they all are in executable sections. given point in /bin/su: see Listing 4. So what we do (in pseudo code) is: see Listing 2. So using the strict mode, we found 0 potential function Two things are worth mentioning: first of, we may miss pointer to overwrite: Fortunately, in such a case, thea few pointers if we use this algorithm, because some application will then try the relaxed mode: see Listing 5.functions may not start with a standard prologue. This was We found 5 function pointers that are actually beinganticipated, and pmcma allows to test all of the pointers to dereferenced by /bin/su before exiting. To verify we+X zones pointing to a valid assembly instruction just by actually got something relevant, we can read thepassing it the –relaxed flag. This is very time saving and message logs from the kernel:works well in practice though. Secondly, the list of pointerswe get this way (by a pure static analysis) is w list of _ jonathan@blackbox:~$ dmesg |tail -n 1potential_ function pointers. They may just happen to bevariables to luckily point to a valid function’s entry point. [ 7472.786312] su[20879]: segfault at f1f2f3f4 ipMore importantly, it doesn’t give us the list of function f1f2f3f4 sp bfcab4e8 error 15pointers actually being dereferenced between a givenpoint in time (eg: the one where we found, say, an invalid jonathan@blackbox:~$ 07/2011 (7) November Page 38 http://pentestmag.com
  • STANDARDMaximizing Value inPenetration TestingThe penetration testing business faces a great danger as moreand more people jump into the field offering very low-valuepenetration tests that are little better than an automatedvulnerability scan. In this article, we’ll discuss how to conductyour tests and write up results so that they can provide significantbusiness value to the target organization.I f you are an in-house penetration tester in an results that make an effective argument for changing enterprise, providing more business value through things in their environment. your work can help improve your job security in a Although there is, sadly, a distinct market segment oftumultuous economy, and, better yet, may help you enterprises that desire the RCPT, other organizationsland that fat raise you’ve been hoping for. If you are a demand more business value for the penetrationthird-party penetration tester, providing more business testing expenditures, as they should. As a penetrationvalue can lead your career to the point where you will tester, yes, you could take the easy way and delivercommand a higher bill rate. What’s not to like? low-quality results from low-quality tests, catering I read a lot of penetration testing reports. In my work to the RCPT market. But, I’m hoping you’ll strive toas an expert witness analyzing large-scale breaches, I’m do better. I strongly believe that it’s in all of our bestregularly called upon to look at the previous five years of interest to do so. If the RCPT comes to dominate andpenetration testing and vulnerability assessment reports tarnish the definition of a penetration test, we’ll all beof a large number of companies. Also, in my own pen worse off. Fewer organizations will want to employ ustesting work with my team, I review many of my team’s for the high-quality work we all love to do.reports, as well as take a critical eye to my own reporting The folks working on the Penetration Testingoutput, always with the goal of making our results better Execution Standard (PTES) have done some fantasticand more meaningful. In any given week, I read between work in defining procedures for conducting thorough,two and five pen testing reports, and I spend a lot of time high-value penetration tests, and I celebrate their work.thinking about their effectiveness. What I’d like to focus on in this article, however, is tips And, I’ve got to tell you, a lot of penetration testers for helping to maximize the business value of yourgenerate absolutely horrible reports. Some of them penetration testing results, especially in the report itself.are little more than regurgitated vulnerability scanning Look, most penetration testers can scan and exploit aresults, all packaged up and labeled as Penetration Test target environment. But what really differentiates theResults. Admittedly, some organizations desire what I best of the best from the merely good is the abilitylike to call the RCPT, the Really Crappy Penetration to provide value and drive change that helps anTest. That is, they want to procure a test so that they organization improve its security stance. That has to becan check off a compliance box saying that they got our relentless focus, as we strive to avoid the pit of thea penetration test, but the last thing they want is test RCPT. 07/2011 (7) November Page 50 http://pentestmag.com
  • Keeping the Main Thing the Main Thing: It’s even that very important level of access is still a meansNot All About Shell or Even Domain Admin… to the end of demonstrating business risk. DecisionIt’s Really About Business Risk makers in management of the target organization likelyAs penetration testers, our hearts dance when we pop will not understand the risks they face if their penetrationa target box, getting that much-coveted shell access testers tell them that an attacker can conquer shellto the machine. You know it and I know it. But please on a machine or even Domain Admin rights on theirrealize that merely compromising machines actually Windows environment. The penetration tester whoisn’t the ultimate goal of your work. It’s a means to can show the implications of this access, such as thean end. The end is to determine the business risk the ability to access millions of sensitive healthcare recordsorganization faces in association with the vulnerabilities or control systems that contain vital trade secrets, willyou’ve discovered. As you conduct a test, and especially provide so much more value.as you prepare the report, make sure you always keep Joshua Jabra Abraham has written convincingly aboutthe main goal in mind: to determine, demonstrate, and goal-oriented penetration testing, in which a penetrationexplain the risk to the business, as well as methods for tester focuses on achieving certain goals beyondmitigating that risk. discovering vulnerabilities in a target environment. One item in which some penetration testers fall short Abraham cites goals such as remotely gaining internalin determining business risk involves a view of a target system access, gaining Domain Admin access, andenvironment as just a group of individual machines. gaining access to credit card information. I stronglyOnce they’ve gotten shell on one of them, such pen support the idea of goal-oriented testing, and urgetesters figure that they have a high-risk finding, and penetration testers to work with target system personnelthey call it a day. The real bad guys don’t do it that to define their goals in terms of business issues (not justway. That initial compromise is the toe in the door, technical achievements) that are important to the targetand they view the entire group of machines and the organization.network itself as their target. The real bad guys, whose When initially scoping a penetration test, make surework we need to mimic to understand business risk you ask target system personnel what their mostproperly, pivot mercilessly, bouncing from that initial important information and processing assets are, andcompromised machine to other machines in the target what their nightmare scenarios for computer attacksenvironment. might be. Sometimes, you may have to stretch their Pivoting through a target, some penetration testers minds a little bit about what an attacker could actuallyset their sites on seemingly very juicy prey: Domain do. Have an open and honest discussion about theAdmin rights in a Windows environment. But, honestly, possibility of economic loss (due to down time, stolen ��� ������ ��� ��� ������ ����������� ����������� � ����������� ���������� � ����������� ������� � ����������� �������������� ���� � �������������� ��������� � ���� �������� �������������� ��������� ������� �������� � ���� � ����������� �������������� ���� ������� ���������� � ����������� ���� �������������� ���������� ��������������� ����������Figure 1. Pen Tester C Has De�ned Business-Centric Goals that Go Beyond Shell and Domain Admin 07/2011 (7) November Page 51 http://pentestmag.com
  • STANDARDmoney, diminished competitive advantage through showing business risk by gaining access to sensitivestolen trade secrets, etc.), regulatory and compliance trade secrets instead of just technical dominance ofoversight (if a breach were to occur and government the target environment.investigators were to come a-calling), lawsuitpossibilities from customers or business partners, Remember Who Your Primary Audience Is…brand/reputation tarnishment, and physical threat to Not Other Pen Testerslife and limb. In a frank discussion about these points, Many really skilled penetration testers write their reportsI often ask target system personnel, What keeps you so that they will impress people like themselves, that is,awake at nights in terms of computer attacks? This isn’t other penetration testers. I am often tempted to do thisabout spreading Fear, Uncertainty, and Doubt, the lame myself, as I get into a mindset of I want to knock theFUD used to scare people into better security practices. socks off of other penetration testers with the amazingInstead, this is about an honest view of security risks work I did here, so I’m going to describe it all in termsand how a penetration test can help determine how that pen testers will understand and get excited about.realistic those risks are. While the temptation is understandable, it should be For example, I was once discussing with a avoided. Impressing other penetration testers shouldn’tmanufacturing company their biggest worries about what be the real goal of our reports, as they aren’t thean attacker could do in compromising their computing audience that will allow us to provide the most businessinfrastructure. They were focused on whether a bad value in our reports.guy could deface their website. I asked them whether Who is? For your executive summary, decisionthey thought about an attacker who got access to their makers are. These people can allocate resources tointernal environment and stole their sales contacts, help alleviate the issues you’ve discovered if you canswiped their future product plans, or gained control of make a convincing business-centered point to them.their manufacturing equipment controls causing it to The remainder of your deliverable, however, shouldmalfunction or shut down. Are those things possible? be written with an eye toward providing maximumthey asked. Let’s structure a penetration test so we can value to the enterprise security professional andcarefully see if they are, I responded, as we set more the operations team. Phrase your discussionbusiness-centric goals for the test. and recommendations so that they help security Consider the three penetration tests illustrated in people and system administrators implement yourFigure 1. In the first test (indicated by Pen Tester A recommended fixes. How? That’s what Tips number 3with green text and arrows), the penetration tester and 4 are all about.gets shell access on a target machine and reportsthat a critical exploitable vulnerability was discovered, Provide the “How-To” In Yourbut stops there. In the second test, Pen Tester B Recommendations(whose work is illustrated by text and arrow B in In your recommendations for remediation, don’t justblue) has gone deeper than the first tester, pivoting describe at a high-level the changes that need to beafter exploiting the initial flaw, by dumping hashes, made, but instead, include a practical step-by-stepconducting a pass-the-hash attack, and gainingaccess to a machine with a Domain Administratortoken on it. This tester then seizes the Domain Admin ��token, and writes up the results in a report, claimingvictory due to Domain Admin compromise. Pen TesterB has certainly demonstrated some risks associatedwith the original flaw better than the first pen tester. ����������������But, it isn’t until we get to the third penetration tester,Pen Tester C, shown with red arrows and text, who �continues pivoting even after gaining Domain Adminprivileges, getting access to a machine with highlysensitive trade secrets. This third penetration testerwill be able to best express the risk the organizationfaces due to the collective flaws in its environment,and make the best argument to management for �������� ����������� ���������action. Note that not only does Pen Tester C pivot Figure 2. Different Styles of Recommendation Carry Different Levelsmore than A or B, but Pen Tester C is also focused on of Business Value (and Risk of Something Going Horribly Wrong) 07/2011 (7) November Page 52 http://pentestmag.com
  • description of how to implement your recommended every finding? In many enterprises, a penetration testchange. Provide command-line or GUI screenshot report is split up among multiple groups or individuals,examples that show how to make your recommended with each group assigned tasks to fix a subset ofchanges. findings and receiving only the pages corresponding Consider a straight-forward sample finding that many to their actions. If you include that text with only onenetwork penetration testers encounter, illustrated in finding, another group may get a separate part ofFigure 2. Suppose the target organization has internal the report, and not see the vital caveat you includedWindows machines that support NTLMv1, an older, in another section of the report. Does this getweaker form of Windows authentication. A fairly low- redundant? Yes, but that redundancy is the price ofvalue finding would involve copying and pasting the reducing risk.result from a vulnerability scanner recommending thatthe target organization move to NTLMv2. But how? Provide the “How-To-Check-Remediation” In A bit higher-value finding would tell the target Your Recommendationsorganization to set the HKEY_LOCAL_MACHINESYSTEM Now, here’s a real gem that can help differentiate yourCurrentControlSetControlLSALMCompatibilityLevel registry penetration testing results and significantly increasekey value to 5 for servers. Such a recommendation is their value. In your recommendations for remediation,certainly better than just saying to move to NTLMv2, include not only the how-to for implementing the fix,but it still leaves open some questions of how target but also include a description of how the organizationenvironment personnel can do this. can verify that the remediation is in place. That way, A higher-value finding might include information they can have some level of assurance that the fix isabout running a command such as the following on the working. The how-to-check description may be prose,discovered impacted servers, which will alter the given but I like to go further, providing one or more commandsetting to the recommended value: lines, GUI screenshots, or tool configurations that do the job of verifying the efficacy of the remediation. YouC:> reg add hklmsystemcurrentcontrolsetcontrol lsa should write such recommendations so that they can /v lmcompatibilitylevel /t REG_DWORD /d 0x5 be carried out by a skilled security professional or a very knowledgeable system administrator, but don’tTo provide even more value, you can include a write them in a manner that only other penetrationwalk-through of how to implement this finding using testers would be able to perform your recommendedGroup Policy and then apply it to an entire Windows actions.environment. The bottom line here is to always look For some findings, including a checking step isat your recommendations, and see how well you’ve trivially easy. Consider the NTLMv2 recommendationanswered the question, But how? discussed earlier. You could add the following to that I know what you are thinking. At this point, you are recommendation, significantly improving its value:likely concerned that the more detailed you get with You can check this setting by running the followingyour recommendation, the more risk that target system command:personnel will blindly follow it, potentially wreakinghavoc in a production environment. This concern is C:> reg query hklmsystemcurrentcontrolset controlquite valid, and must be managed in the report itself. lsa /v lmcompatibilitylevelThat’s why I like to include language with every singlefinding that says: You should verify that its output is 5, an indication that These changes are based on their applicability to numerous the system is configured to use NTLMv2.environments, but could have unknown consequences in this For small tweaks to configuration or the applicationparticular environment. For that reason, any recommended of various patches, Windows commands such as reg,changes should be evaluated in a test environment first, wmic qfe, and wmic product are especially helpful. Onand then rolled out through proper, formal change control Linux, you’ll often rely on cat, grep, rpm, and running aprocesses. If you do not test these configurations in an program with the –version option as a check.experimental environment, they could result in downtime or For more complex recommendations, crafting aother damage to a production environment. checking step that is suitable for non-penetration testers can be much more of a challenge. ForI like to put this text in bold face font and italicize it example, writing a procedure to test whether Cross-to emphasize its importance. I include it with every Site Scripting (XSS) defenses have been implementedfinding that requires a change of configuration. Why at first seems very difficult. If you suggest that they try 07/2011 (7) November Page 53 http://pentestmag.com
  • STANDARDto enter certain specific test XSS strings to evaluate Prioritize Your Findings Carefully Accordingtheir newly implemented filters, it is quite possible to Impact and Probability of Exploitationthat the filters remove only the specific test strings The vast majority of penetration testing reports thatyou’ve provided! The organization would then have I read prioritize finding based solely on whether thea false sense of security, as other XSS strings would issue is high, medium, or low risk. While such rankingsstill work against the target application. That’s why I’ll do provide a broad signal to decision makers andsometimes craft my verification process around the technical personnel about where they should focusrunning of a given tool with a specific configuration. their remediation activities first (high-risk items), theSo, for XSS, I’ll suggest that the organization run a so-called “HML” (High-Medium-Low) mechanism oftenparticular free XSS scanning tool that I know will put lacks the granularity many organizations need forthe application through its paces and give a reasonably prioritization with the high-risk category itself. That’sgood read on whether they have defended against why I recommend categorizing risks according to bothXSS more comprehensively than by just filtering a few their potential impact as well as their probability of beingtest strings. successfully exploited. That way, organizations can get When I first proposed adding these checking a better feel for the risk factors and focus their effortsrecommendations to our reports, some folks at the on items that are simultaneously high impact and ratherpenetration testing company where I worked protested, likely to be exploited.saying that this will lengthen the report writing time and Of course, there are far more complex methodsdrive up our costs. But, I’ve found that adding this extra for assigning risk levels to discovered flaws, such asinformation really only requires a few minutes for each the Common Vulnerability Scoring System (CVSS)recommendation, and lends itself to templatization. It developed by FIRST. While CVSS is an excellentmay mean that your reports take ten percent longer to method for detailed analysis of flaws, some penetrationwrite, but their value to target system personnel will be testers find that its complexity and precision make itsignificantly greater. difficult or costly to use in routine penetration testing. At first blush, third-party penetration testers who do I’ve found that categorizing issues according to impactassessment projects for other enterprises may think that and probability to be a happy medium between the too-this recommendation will cost them future remediation simple HML approach and the more complex CVSSverification work. That is, if you tell your customers how scheme.to check their own remediation in your report, they’ll be In your executive summary at the start of aless likely to come back to you for a retest to verify their penetration testing report, it can be useful to providefixes. While that is certainly true, quite honestly, retest a graphical summary of discovered issues accordingwork focused on verifying fixes tends to not be terribly to their relative importance to the organization. Forinteresting, nor financially lucrative. I’d rather provide as HML-style findings, many penetration testers just cutmuch value up front as I can, with the knowledge that and paste a bar chart showing the relative count ofI’m helping to cement the customer relationship for theirnext real penetration test. �������� ������ � � ������ � ��������������������������������� �������������������������������� ����������������������������������������� � ����� ���������������������� ������������ ������������������������������������� ������������������������������ � ���������������� ����������� ���������� ������������������������������������ ����� ������������������������������������������� ���������� ������������� ���������� � � � � � ������������������������� �������� ������������������������������������������ ����������� ������������Figure 3. A Traditional Bar Chart Used with the HML Model Doesn’t Figure 4. A Matrix Showing Impact and Probability, with Circle SizeConvey Very Much Information or Business Value Indicating the Number of Each Type of Issue 07/2011 (7) November Page 54 http://pentestmag.com
  • high, medium, and low-risk issues discovered, whichdoesn’t really convey that much information or value,as shown in Figure 3. Going beyond the simple bar chart, our team hashad a lot of success in showing a graphical summaryof discovered issues based on impact and probabilityof successful exploitation using a multi-dimensionalgraph, such as that shown in Figure 4. Here, we havea matrix with the probability of successful exploitationrunning along the X-axis, and the potential impactgoing up the Y-axis, with a relative ranking of 1 to 5.Note that we indicate the relative number of issuesdiscovered at each intersection by including a circlewhose area corresponds to the number of findingsthere. A bigger circle indicates that the pen test teamidentified more instances of this kind of finding. Wehave had several customers tell us that this kind ofchart provides a more meaningful summary of ourresults, and allows decision makers to more quicklyunderstand results and assign resources necessaryfor remediation.ConclusionsIt is important to note that all of the recommendationsI’ve described here presume that you perform excellenttechnical work. You must continuously strive for that.Then, to add that final polish to your results, apply oneor more of these tips to maximize the business value ofyour work. We’ve discussed several different approaches forproviding significantly more value in your penetrationtests. Now, I’m not expecting that every reader willfollow every single tip here. But, I do hope that you’llincorporate at least one or two of these practices,helping to drive up the business value of the work youdo. Working together to help define and provide high-value penetration testing will help our industry avoid thevalueless death spiral of the Really Crappy PenetrationTest.ED SKOUDISSANS Fellow and Pen Test Curriculum LeadAuthor of SANS 504 and 560 CoursesFounder, Counter Hack Challenges 07/2011 (7) November http://pentestmag.com
  • INTERVIEWInterview withDean BushmillerDean currently consults on information assurance andoperational security. Proving insecurity by penetration testingis a natural part of consulting. He focuses on converting thebusiness philosophy of „security is an obstacle” to „security is amoney maker”. He has served on 6 beta testing teams. He is thesubject matter expert on the 10 domains of the CISSP officialcurriculum. Dean has been teaching on-line for 7 years and face-to-face for 11. As a non-militaryperson, Dean Bushmiller is a proud Recipient of 5 mission coins for preventing deer in theheadlights look.Can you tell us a little bit about yourself This is a two-part question: You offerand how you got involved in the field of Penetration Testing consultation in additionInformation Security? to Security Education, how do you divideDB: It is odd how I got into security; I backed my your time between the two, and does oneway into Information Security from training. I was a play any role in the other?technology trainer back when Windows 95 had major DB: As far as the task at hand, it depends on the year,problems with basic print processing. Explaining why it but it averages out to 50/50. I really like consultingworked and how it worked seemed easy to me. I could by referral from my students. They know my way ofread the big thick book and relate it to people. My doing things and appreciate it. As far as mental focus,customers said, hey you can teach. I started to teach it’s never really divided, you know? The roles blendtechnology and people would ask crazy questions. together quite nicely! I learn from everything I get toOne student decided to test me and started asking do and always try and bring it to the next experience.questions from the then CD version of Microsoft’s Students in the classroom bring me new tools that ITechnet. I just kept on answering until he was bored. have never heard of before. As they are doing theirThen students started to ask me how to solve real homework, I am doing mine. Playing with that newproblems they were having. It seemed logical to tool, reading that book they talked about. I have alook at packet traces and ask about protecting the big lab environment in my office, every version ofresources. I did my investigations for a few years, every operating system I can get my hands on builthelping people with bigger and bigger problems. Once up so I can test tools. Things that I learn in the fieldwhile on a customer site, some guy was looking over make the training richer and deeper. Sometimes youmy shoulder and said in a very accusatory tone, What can read the things you need in books. Sometimesare you doing? After I explained, he said that was a it takes doing it over and over, optimizing until it issecurity problem not a technology problem. Stay out just right. And sometimes you create a great lessonof the security! I did not know there was a distinction. I out of thin air. That creativity is the spark that keepsthought all computing was computing and security was both the classroom and the consulting working well.just another part. That is when I realized I had been in I am answer driven. I don’t care what the answer is;the Information Security field for about three years. I I just want it so I can get to the goal of securing thestarted doing more formal focused work and study in environment. If the client is wrong or I am wrong, whothe security field and here I am. cares? Let’s just get to the answer so we can fix it. 07/2011 (7) November Page 56 http://pentestmag.com
  • In the Upcoming Issue of Client Side Exploits Available to download on December 2ndSoon in Pentest!• Ric Messier – Stealth Testing Using NMAP• Aniket Kulkarni – Fuzzing Internals – Craft it!• Nimrod Ben-Em – What XSS can’t do for you?• Tal Null – Session Puzzlingand more...If you would like to contact Pentest team, just send an emailto en@pentestmag.com. We will reply immediately.