SlideShare a Scribd company logo

Real World Application Threat Modelling By Example

NCC Group
NCC Group

Slides from Ollie Whitehouse's Workshop at 44CON 2013

Technology
1 of 61
Download to read offline
Real World Application Threat Modelling By Example 44Con 2013
Agenda Threat modelling 101 Our goals Doing it
Threat modelling 101 Why threat model? Help with risk analysis (defensive) Help with efficient effort investment (offensive)
Threat modelling 101 Attacker centric aka attack trees Software, system, design or architecture centric Asset centric aka traditional risk analysis
Threat modelling 101
Our goals Asses a virtual appliance with zero initial knowledge Map its attack surface Develop a threat model
Our goals another perspective
Target Djigzo Email Encryption Gateway http://www.djigzo.com/gateway.html
Steps?
Steps Enumeration / Discovery Dataflow Threat model
Phase 1 - Enumeration
Step #0 – Tools Notepad / VIM / Whatever Mind Mapper (FreeMind etc.) Diagram Drawer (Visio etc.) OS specific tooling (enumeration / debug)
Step #1 – Get shell • Possible approaches • Mount virtual disk image • Live CD – add a user • Single user mode • Allowed functionality • Allowed functionality • Default username and password
Step #2 – Get root • Possible approaches • Mount virtual disk image • Live CD – add a user • Single user mode • Product configuration issue • Product configuration issue • They allow a shell • They made a mistake / overlooked
Step #3 – Enumerate?
Step #3 – Enumerate • Product functionality • Technologies in use • Processes • Listening ports • Process to port mappings • Users processes are running as • Mooch around the interfaces (*scientific) • Dig into the database (if there is one)
Step #3 – Enumerate – Product functionality Source: Administration / Installation manual • Console administration interface • Web administration interface • Email gateway • Email encryption solution
Step #3 – Enumerate – Technology • Linux • Postfix • Java • Apache Tomcat 6 • Spring (web framework) • Apache James (mail) • Tanuk Software Wrapper (allow Java to run as a daemon) • Jetty web server (SOAP interface) • Postgres
Step #3 – Enumerate – Processes
Step #3 – Enumerate – Listening Ports
Step #3 – Enumerate – Processes to ports
Step #3 – Enumerate – Listening Ports Port Process Description Verified who 22 SSHD SSH daemon No need 25 Master Postfix mail transfer agent No need / experience 8080 Java Tomcat /etc/tomcat6/server.xml 8443 Java Tomcat /etc/tomcat6/server.xml
Step #3 – Enumerate – Listening Ports Port Process Description / Function Verified how 5400 Java RMI for JMX /etc/djihzo/spring/services.xml 5432 Postgres Database server Obvious from the process name 8005 Java Tomcat shutdown port Internet knowledge 9000 Java SOAP interface /etc/djigzo/djigzo.properties 10025 Java Mail content filter port /etc/djigzo/james/config.xml /etc/james/smtp_server.xml /etc/postfix/main.cf 10026 Master Postfix mail transfer agent – mail reinjection /etc/djigzo/james/config.xml /etc/postfix/main.cf 15012 Java Wrapper /etc/djigzo/djigzo.wrapper.conf 58490 Java Unknown
Step #3 – Enumerate – Listening Ports
Step #3 – Enumerate – Listening Ports
Step #3 – Enumerate – Listening Ports
Step #3 – Enumerate – What’s missing?
Step #3 – Enumerate – Processes
Step #3 – Enumerate – Open Handles ls /proc/[pid]/fd
Step #3 – Enumerate – Missing Process
Step #3 – Enumerate – Missing Process
Step #3 – Enumerate – Missing Process
Step #3 – Enumerate – Mooch
Step #3 – Enumerate – Mooch
Step #3 – Enumerate – Mooch
Step #3 – Enumerate – Firewall Rules
Step #3 – Enumerate – Database
Step #3 – Enumerate – Other Tools Tool Purpose checksec.sh Operating system and binary defense in depth find File system permissions, SUID binaries etc. tcpdump Sniff loopback adapter for database, SOAP and other IPC traffic lsof List open files for a particular process or path strace System call trace – see which system calls are being made by a process ltrace Library call tract – see which library calls are being made by a process unzip For extracting JAR and WAR files containing the Java classes JD-GUI Java decompiler for the Java classes
Summary so far We have a shell and file system access We have root on the appliance We know the technologies We know product functionality We know roughly how it is built We know what speaks to what We have mooched around the interfaces We have had a quick look at the database
Phase 2 – Dataflow
Step #0 – Dataflow - High-level
Step #1 – Dataflow – With Boundaries
What’s still missing?
What still missing High-level: Logging, Platform defences etc. Low-level: Detailed functional flows e.g. authentication, actions, commands, mail transiting
Phase 3 – Threat Model based on High-Level
Threats: The Microsoft Way
Threats?
Threats: Web Interface
Threats: Admin Console
Threats: Daemon
Threats: Mail Transfer Agent
So what’s next? We now ‘test’, ‘assess’ and or ask the architects / developers what has been considered and any present mitigations
How do we summarize? Threat Impact / Risk Mitigation Residual Risk Malformed PDF document Memory corruption leading to arbitrary code execution in the main daemon or wrapper process Written in Java Denial of Service
Phase 4 – Going Deeper
Going deeper • Rip into database • Application passwords stored in clear-text • File system contents • Soap interface credentials in clear-text • Certificates are dynamically generated == a more complete real world threat model
Going deeper • Grab the Tomcat configurations • Work out the filter chains • See which URLs don’t’ need authentication • Chain URLs back to Java classes • Grab the JAR and WAR files contain the classes • Disassemble • Review code == a more complete real world threat model
Conclusions for now…
The ideal process
Challenges • Development may not have the deep threat / mitigation knowledge • Brainstorming with a security person helps here • Organisations under estimate the effort, size and complexity required to do threat modelling right
Conclusions • Threat modelling requires good understanding of security risks • Developing a good threat model takes a lot of time / effort and resource • Enumeration of technologies and interfaces is key • Think about possible attacks and how they are mitigated • Verify threats either statically or dynamically … this presentation was only the beginning
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich - Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com

Recommended

Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 

Recommended

Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Tanium Overview
Tanium OverviewTanium Overview
Tanium OverviewJordanTough
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2ShivamSharma909
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 

More Related Content

What's hot

Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2ShivamSharma909
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 

What's hot (20)

Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Tanium Overview
Tanium OverviewTanium Overview
Tanium Overview
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 

Similar to Real World Application Threat Modelling By Example

Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
N3XAsec CPTE plan de estudios detallado
N3XAsec CPTE plan de estudios detalladoN3XAsec CPTE plan de estudios detallado
N3XAsec CPTE plan de estudios detalladoRafael Seg
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Services and system calls
Services and system callsServices and system calls
Services and system callssangrampatil81
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 

Similar to Real World Application Threat Modelling By Example (20)

Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
N3XAsec CPTE plan de estudios detallado
N3XAsec CPTE plan de estudios detalladoN3XAsec CPTE plan de estudios detallado
N3XAsec CPTE plan de estudios detallado
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malware
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Services and system calls
Services and system callsServices and system calls
Services and system calls
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 

More from NCC Group

How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsNCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsNCC Group
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 

More from NCC Group (16)

How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Real World Application Threat Modelling By Example

  • 1. Real World Application Threat Modelling By Example 44Con 2013
  • 3. Threat modelling 101 Why threat model? Help with risk analysis (defensive) Help with efficient effort investment (offensive)
  • 4. Threat modelling 101 Attacker centric aka attack trees Software, system, design or architecture centric Asset centric aka traditional risk analysis
  • 6. Our goals Asses a virtual appliance with zero initial knowledge Map its attack surface Develop a threat model
  • 7. Our goals another perspective
  • 8. Target Djigzo Email Encryption Gateway http://www.djigzo.com/gateway.html
  • 11. Phase 1 - Enumeration
  • 12. Step #0 – Tools Notepad / VIM / Whatever Mind Mapper (FreeMind etc.) Diagram Drawer (Visio etc.) OS specific tooling (enumeration / debug)
  • 13. Step #1 – Get shell • Possible approaches • Mount virtual disk image • Live CD – add a user • Single user mode • Allowed functionality • Allowed functionality • Default username and password
  • 14. Step #2 – Get root • Possible approaches • Mount virtual disk image • Live CD – add a user • Single user mode • Product configuration issue • Product configuration issue • They allow a shell • They made a mistake / overlooked
  • 15. Step #3 – Enumerate?
  • 16. Step #3 – Enumerate • Product functionality • Technologies in use • Processes • Listening ports • Process to port mappings • Users processes are running as • Mooch around the interfaces (*scientific) • Dig into the database (if there is one)
  • 17. Step #3 – Enumerate – Product functionality Source: Administration / Installation manual • Console administration interface • Web administration interface • Email gateway • Email encryption solution
  • 18. Step #3 – Enumerate – Technology • Linux • Postfix • Java • Apache Tomcat 6 • Spring (web framework) • Apache James (mail) • Tanuk Software Wrapper (allow Java to run as a daemon) • Jetty web server (SOAP interface) • Postgres
  • 19. Step #3 – Enumerate – Processes
  • 20. Step #3 – Enumerate – Listening Ports
  • 21. Step #3 – Enumerate – Processes to ports
  • 22. Step #3 – Enumerate – Listening Ports Port Process Description Verified who 22 SSHD SSH daemon No need 25 Master Postfix mail transfer agent No need / experience 8080 Java Tomcat /etc/tomcat6/server.xml 8443 Java Tomcat /etc/tomcat6/server.xml
  • 23. Step #3 – Enumerate – Listening Ports Port Process Description / Function Verified how 5400 Java RMI for JMX /etc/djihzo/spring/services.xml 5432 Postgres Database server Obvious from the process name 8005 Java Tomcat shutdown port Internet knowledge 9000 Java SOAP interface /etc/djigzo/djigzo.properties 10025 Java Mail content filter port /etc/djigzo/james/config.xml /etc/james/smtp_server.xml /etc/postfix/main.cf 10026 Master Postfix mail transfer agent – mail reinjection /etc/djigzo/james/config.xml /etc/postfix/main.cf 15012 Java Wrapper /etc/djigzo/djigzo.wrapper.conf 58490 Java Unknown
  • 24. Step #3 – Enumerate – Listening Ports
  • 25. Step #3 – Enumerate – Listening Ports
  • 26. Step #3 – Enumerate – Listening Ports
  • 27. Step #3 – Enumerate – What’s missing?
  • 28. Step #3 – Enumerate – Processes
  • 29. Step #3 – Enumerate – Open Handles ls /proc/[pid]/fd
  • 30. Step #3 – Enumerate – Missing Process
  • 31. Step #3 – Enumerate – Missing Process
  • 32. Step #3 – Enumerate – Missing Process
  • 33. Step #3 – Enumerate – Mooch
  • 34. Step #3 – Enumerate – Mooch
  • 35. Step #3 – Enumerate – Mooch
  • 36. Step #3 – Enumerate – Firewall Rules
  • 37. Step #3 – Enumerate – Database
  • 38. Step #3 – Enumerate – Other Tools Tool Purpose checksec.sh Operating system and binary defense in depth find File system permissions, SUID binaries etc. tcpdump Sniff loopback adapter for database, SOAP and other IPC traffic lsof List open files for a particular process or path strace System call trace – see which system calls are being made by a process ltrace Library call tract – see which library calls are being made by a process unzip For extracting JAR and WAR files containing the Java classes JD-GUI Java decompiler for the Java classes
  • 39. Summary so far We have a shell and file system access We have root on the appliance We know the technologies We know product functionality We know roughly how it is built We know what speaks to what We have mooched around the interfaces We have had a quick look at the database
  • 40. Phase 2 – Dataflow
  • 41. Step #0 – Dataflow - High-level
  • 42. Step #1 – Dataflow – With Boundaries
  • 44. What still missing High-level: Logging, Platform defences etc. Low-level: Detailed functional flows e.g. authentication, actions, commands, mail transiting
  • 45. Phase 3 – Threat Model based on High-Level
  • 52. So what’s next? We now ‘test’, ‘assess’ and or ask the architects / developers what has been considered and any present mitigations
  • 53. How do we summarize? Threat Impact / Risk Mitigation Residual Risk Malformed PDF document Memory corruption leading to arbitrary code execution in the main daemon or wrapper process Written in Java Denial of Service
  • 54. Phase 4 – Going Deeper
  • 55. Going deeper • Rip into database • Application passwords stored in clear-text • File system contents • Soap interface credentials in clear-text • Certificates are dynamically generated == a more complete real world threat model
  • 56. Going deeper • Grab the Tomcat configurations • Work out the filter chains • See which URLs don’t’ need authentication • Chain URLs back to Java classes • Grab the JAR and WAR files contain the classes • Disassemble • Review code == a more complete real world threat model
  • 59. Challenges • Development may not have the deep threat / mitigation knowledge • Brainstorming with a security person helps here • Organisations under estimate the effort, size and complexity required to do threat modelling right
  • 60. Conclusions • Threat modelling requires good understanding of security risks • Developing a good threat model takes a lot of time / effort and resource • Enumeration of technologies and interfaces is key • Think about possible attacks and how they are mitigated • Verify threats either statically or dynamically … this presentation was only the beginning
  • 61. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich - Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com