Penetration Testing Magazine


Published on

Penetration Testing Magazine Volume 1

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Penetration Testing Magazine

  1. 1. EDITOR’S NOTE 01/2011 (01) Dear Readers, Welcome to Penetration Test Magazine, a new publication from Hakin9 team, with its focus on the penetration testing field. What you are looking at right is what you might call the “zero” teaser issue, which we’ve decided to publish to reach you and – hopefully – encourage you to stay with us and become our avid readers in the future. For there are surely good reasons to take a closer look at Penetration Test Magazine, especially if you are a pen tester, TEAM security assessment provider or client, or simply an IT security enthusiast. Our main goal is to create a platform, where like- Editor: Sebastian Bula minded specialists as well as amateurs could exchange their views, discuss important issues, or just observe the trends Proofreaders: Michael Munt on the market. The penetration test market is thriving and it deserves a magazine that can deal with its issues. As for now, Betatesters: Michael Munt, Edward Werzyn Jr we are the only magazine of its kind on the market. Senior Consultant/Publisher: Paweł Marciniak The magazine proper will be available by paid subscription, 29 CEO: Ewa Dudzic USD per issue. What we offer for this price is more than fifty pages of top-quality, non-commercial technical writings by IT security specialists, who are more than happy to share their Art Director: Ireneusz Pogroszewski knowledge and expand yours. DTP: Ireneusz Pogroszewski The following teaser mag features two splendid pieces of Production Director: Andrzej Kuca writing. Iftach Ian Amit from Security Art and Chris Nickerson from Lares joined forces to present their views on the industry and how Penetration Testing Execution Standard can “fix” it. Marketing Director: Sebastian Bula If you feel, like the writers do, that the term “penetration test” has been “cannibalized”, “commercialized”, and attracted too Publisher: Software Press Sp. z o.o. SK many “charlatans” – the article is just for you. The second 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 article, by Bill Mathews from Hurricane Labs, will give you some practical advice on how to operationalize penetration testing results using network monitoring software, and – as Whilst every effort has been made to ensure the high quality of the author highlights – for free. the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for We would like to thank the contributors for submitting great informative purposes. content and meeting very close deadlines at the same time, especially Iftach Ian Amit, whose assistance and commitment All rights to trade marks presented in the magazine are reserved by the companies which own them. was truly invaluable for us. To create graphs and diagrams we used program by We hope you enjoy the magazine – and don’t forget to check out our first issue in May! Mathematical formulas created by Design Science MathType™ Enjoy your reading Sebastian Buła DISCLAIMER! & Penetration Test Magazine Team The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss. 01/2011 (1) April Page 2
  2. 2. CONTENTSContributePenetration Testing Magazine is a community-oriented Are you a student? We’re looking forward to youmagazine. We want IT security specialists and articles! Fresh attitude, opinions and beliefs of theenthusiasts to work together and create a magazine young and budding IT security gurus are invaluable forof the best quality, attractive to every individual and us. You will give your career a great start when you writeenterprise interested in the penetration testing field. to a respectable IT magazine. Showing an issue with your name among the names of other authors – and If you are interested in being a part of our community often famous ones – will be your great asset during a– submit an article or bring up a subject you consider job interview.important and up-to-date. Are there any trends on themarket you’d like to take a closer look at? Are there any If you think you don’t have enough time to create antools or solutions worth reviewing or presenting to the article from scratch, but feel interested in the magazinecommunity? Are there any touchy and controversial – become one of our beta testers. This way you will getissues you feel have to be discussed in public? Then the opportunity to look at a new issue’s contents beforeshare your opinions with us. it’s even published, and your name, too, will appear in the magazine. If you feel the need to contribute and If you run an IT security company, your contribution share you knowledge, but don’t have enough spareis the most welcome. Tell us about your solutions and time for creative writing – beta testing is just for you.advertise in the magazine for free, or have a specialissue devoted exclusively to you. As long as you providetop-notch quality of you writings, we are always ready tocooperate and help your company develop with us.Sections:White Box Wireless SecurityApplication Security Standards and MethodologiesBlack Box How To…Web Security Open Source IntelligenceNetwork Security VulnerabilitiesSTANDARDSFixing the Industryby Iftach Ian Amit and Chris NickersonHOW TO……Operationalize Penetration TestingResults Using Network MonitoringSoftware – All For Freeby Bill Mathews 01/2011 (1) April Page 3
  3. 3. STANDARDSFixing the IndustryPenetration testing has been a skill (some say an art) for as longas we can remember information security and the computerindustry. Nevertheless, over the past decade or so, the termhas been completely ambiguated. It has been cannibalized,commercialized, and transformed into a market where charlatansand professionals are on the same playing field.T he commercial industry has embraced the lack of value presented by the Scanner type of testing Sexyness of penetration tests, built products and some brainstorming of how that could be resolved around it uprooted its values with product marketing worldwide. This issue was not localized or specific to anyand sales speak, and conned organizations into buying vertical but it was something that InfoSec professionalsdeeper and deeper to the dreaded pentest unit (as in I from all around the globe were experiencing. From theseneed 2 units of pentest to complete this compliance effort). sessions happening at EVERY security conferenceBacked by a thriving regulatory compliance rush to check- thrown an idea was born. The idea – to finally standardizeoff as many items as they can on audit lists, pentesting and define what a penetration test really is. This wouldwas given the final blow to its heritage of value. A once help the testers increase the quality and repeatability ofsurgical skill that required innovation, critical thinking, the testing while also giving the organizations doing thetechnical savvy, business understanding, and good old testing, a reference list of what is to be done during thehacker-sense was reduced to a check box on the back of test. This is where the Penetration Testing Executiona consulting companies marketing material. Standard (PTES) started. After a couple of months of This type of market commoditization has led to the working behind the scenes, a group of about a dozenfrustration of many businesses and consultants alike. security practitioners from different parts of the industryWith this in mind, a group of security veterans (each one put forth a basic mind map of how they did penetration Commercializing security tools and Compliance tests. Later on, that blended map was released to a larger are giving the industry a double-blow group of InfoSec professionals. This group tore apart the original map and streamlined it to fit a larger and widerwith at least a decade under their belts, and numerous audience. At that point a final rendition of the mindmapsuccessful penetration tests in various industries) have was constructed between 25+ International InfoSecgotten together to discuss the state of the industry, and a Professionals. With over 1800 revisions to the Alphacommon gripe was echoed. Many of the venting sessions mindmap, the team then opened up the stage for morefrom professionals around the world centered around massive collaboration and started building one of thethe wide array of testing quality within penetration tests. more exciting concepts in the security industry. CurrentlyThis huge gap was often boiled down to the Scanner/ the Penetration Testing Execution Standard is backed byTool Tests and the Real Testing arguments. Another dozens of volunteers from all around the world, working incommon theme for these sessions was the decided teams on writing the finer details of what will be the golden 01/2011 (1) April Page 4
  4. 4. standard for penetration testing for organizations as small perceived by an investigative attacker. A lot of informationas a 15 people company, and as large as a government is being spilled out through unauthorized (and seeminglyagency or a nation’s critical infrastructure. legitimate) channels, social media, and just plain old bad The standard spans seven sections that define the policies. It is crucial for the tested organization to seecontent of a penetration test. These sections cover exactly what information is available out there in order toeverything from how to formalize the engagement either prepare for such information being used against themlegally and commercially, up to what areas the final or fix any policy/training gaps that it may have in relation toreport should cover. Following is an overview of the information disclosure. Until this exercise is performed, mostseven sections and what they reflect in terms of how a companies do not understand the gravity of the informationpenetration test should be conducted. that can be collected about them. For example: If a tester can identify that the customer is using an unpatched versionPre-Engagement interaction of Acrobat (found through the analysis of metadata withinIn this section the standard defines some basic rules a published document), they are a prime candidate for aof engagement, scoping, points of contact, and most client side/malicious file attachment attach. Also, if thereimportantly goals for the engagement. It is often neglected are sensitive documents published on corporate directedand overlooked (as in our previous example of two pentest locations, it may pose an even bigger risk (i.e. VPN Loginunits – that are usually followed by a website or an IP instructions on a public webserver; Yes…we ran into theseaddress to be tested), and one of the main reasons for many times in the past).organizations not getting any value out of such testing. The The information and intelligence gathering phasesection goes on to define what are the allowed resources aims to gather as much information as possible aboutthat the tester can utilize in the business, and the tester is the target and fully explore the increased threat surfacegiven an opportunity to gain a better understanding of what to attack. The standard covers digital collection throughis the business aspect that is being scrutinized, and what open source intelligence resources as well as paid forare the real goals of the test (which are NEVER a server, resources, physical on-site collection and observation,an application, or even a network). In addition to the goal/ and human intelligence collection. After all, the more avalue oriented approach of the tester, the organizations tester has to attack the more comprehensive the resultsreceiving the test (customer) will also be able to reference will be. This is the most aggressive approach availablethis section. The customer will be able to set guidelines for but will not be required for all strengths of tests. It’sthe test, understand the safeguards put in place and have important to note that the standard will also define levelsa full understanding of the communication pathways that or strength of operations within each section – whichwill be open throughout the test. Often times, customers would allow small engagements to employ the moredo not have the appropriate channel of communication standard OSINT (Open Source Intelligence) methods,with the testing group and it causes confusion in the testing and larger scale or higher level/strength engagementsprocess. We aim to make the goals and tests performed to include the more elaborate on-site, physical andclear to both sides well before the testing begins. HUMINT (Human Intelligence) elements.Information and Intelligence Gathering Threat ModelingIn this section the standard really kicks in. This is where The threat-modeling section provides the tester and thewe were receiving the most comments in the lines of this organization with clear documentation of the relevantis too expensive, we don’t know how to do this, and this threat communities as well as the assets and their not really necessary. From our collective experience The threat modeling is performed around two central(at least the founding team) we can clearly state that lines – the attacker, and the business assets. From anwhen this phase is done right, we can already know the attacker perspective, all the relevant threat communitiesoutcome of the pentest. During the intelligence-gathering are identified, researched, documented, and theirphase, the tester aims to build a comprehensive as capabilities are fully analyzed and documented.possible picture of the target organization. Everything From a business asset perspective, all the critical businessfrom corporate information, the vertical in which the assets (physical, logical, process, 3rd party, intellectual,organization is operating in, business processes that are etc.) are identified. During the documentation phase ofcrucial to the business, financial information and all the way these assets, every relevant supporting technology systemup to mapping out specific personnel, their online social is mapped, along with the relevant personnel, interaction,presence and how to use all of that information in a way that processing, and the information attacker would use. On the other hand, the organization The main output from this phase is a well-documentedbeing tested will finally get a clear overview of how it is being threat model that takes into account the data gathered 01/2011 (1) April Page 5
  5. 5. STANDARDSand analyzed at the intelligence gathering phase, and can intelligence, threat modeling and vulnerability analysis inbe used to create attack trees and map out venues for place; this phase becomes much more focused and morevulnerability analysis of key processes and technologies. importantly much more fine-tuned to the organization beingThis is another key component to providing value in tested. In a proper penetration test, we should not just seePenetration Testing. If the customer does not know what the spread-spectrum scans and exploitation attempts onthreat is to the business or the actual risk, why should they every conceivable technology from a tool or two, but alsoresolve the issue. Threat Modeling provides a weighting (and again – much more importantly) a dedicated attacksystem so that testers can rely less on a screenshot of a path that lends from the true assets that the organizationshell and more on the overall value to the business. holds and the specific vulnerabilities (either technology related or human/process related). This type of validationVulnerability Analysis is a process that is often lost in the throw all the attacks weOnly at this stage we run into what more traditional have at it type automation. Here, the standard aims to actpenetration tests actually include in their scope. As we on the vulnerabilities identified and confirm or refute theircan clearly see, the new penetration testing execution existence. Many testers and testing tools, due to lack ofstandard provides a much more thorough background actionable intelligence or poor planning, will run exploits– both from a business understanding, as well as from a against hosts that do not have the exploitable packagetechnical perspective to the test. Leveraging this extensive running or even installed. This causes undue increasedresearch, the vulnerability analysis phase (which can traffic and potential risk to the business environment.sometimes be considered as a technology centric threatmodeling) defines the extensive coverage of mapping Post-Exploitationout and documenting any vulnerability in processes, At this point most pentests conclude the engagementphysical infrastructure, and of course technology related and provide a report that includes every finding withelements. This phase does include some interaction some sort of traffic light rating (low, medium, high...) thatwith the organization, as the testers probe for services is pre-baked into the reporting tool. However, real worldand equipment, confirm assumptions made at the attacks would not suffice in getting a foothold inside thethreat modeling and intelligence gathering phases, and organization, and would try to leverage it further – eitherfingerprint the underlying software being deployed. trying to obtain additional information/resources, or to One of the deliverables from this phase (on top of the actually find a way to exfiltrate the information/controlactual vulnerability mapping and assertion) is attack trees outside of the organization. The exfiltration and accessthat correspond to the entire process thus far. This by to the data types or control systems will fit directly intoitself can provide a lot of value to the organization as a the threat modeling conducted earlier in the document that can be updated with relevant threats, The tester will be able to show the real company impactvulnerabilities and exposure that is used as one of the of certain attacks and why they are relevant to theparameters for the ongoing risk management practice. company (i.e. there is a big difference in showing an Mind you, this is not just running a scan or port executive a screenshot of a shell than showing themmapping. This is a comprehensive process to analyze the interface THEY use to change the General Ledgerthe data collected for attack routes as well as identify within the ERP system. This type of focus provides anvenues for attacks. The tester will leverage conventional instant impact and is formatted in the language thatand unconventional ways to identify vulnerabilities from makes sense to the business).missing patches, open services, misconfigurations, The post-exploitation phase defines the scope ofdefault passwords, Intellectual Property leakage, such additional tasks, that provide the organization withincreased threat through information (leaked passwords/ a way to see how would it really stand up to such andocs), and much more. This hybrid approach allows attack, and whether it would be able to identify relatedthe testers to collect actionable information and rank data breaches and leaks. Conducting this focusedthe ease of attacks. Once the tester has analyzed the attack on resources paints a very clear and concisepotential vulnerabilities present, they will have a clear picture of the threats capability and its possible effectspicture of what/why/how/where and when to execute on the business as a whole.attacks to confirm the validity of that vulnerability. ReportingExploitation Finally – this trip through an attackers modus-operandiThe exploitation section is very close to the common scope needs to be concluded with a clear and useful report,of penetration tests these days. It includes the actual attack for the organization to actually see value from such anexecution against the organization. With all the proper engagement. The value is not limited to documenting 01/2011 (1) April Page 6
  6. 6. the technical gaps that need to be addressed, but also an additional value to the customer as they are allowedneeds to provide a more executive-level report that to test the effectiveness of their defensive monitoringreflects the organization’s exposure to loss in business systems and/or outsources solutions.terms (financial). This would include the actual meaning At the end of the day, the forces of the industry willof which assets are at the highest risk, how much dictate what a penetration test will look like and whatresources are used to protect different assets, and a would it contain. Nevertheless, the PTES is aimed torecommendation on how to more efficiently close any provide the industry with a baseline it clearly lacks now.gaps in exposure by spending resources on controls The term has been mutated over many iterations andand protections more intelligently. it has been given a very narrow freedom to operate Such a recommendation would not have been possible between the minimum that has been dictated bywithout the surrounding activities that provide the business regulatory requirements (which did good and actuallyrelevance of the exercise and the tested business forced more businesses to test themselves), and theelements. This is also where the organization would “glass ceiling” that has been created de-facto by theend up finding the most value out of the engagement, hordes of pentesters that know nothing better thanas opposed to most common pentests which leave it using some product to push out a report to the customerwith a laundry-list of exploits and vulnerabilities, without and move on to the next. By clearly defining the termtheir actual relevance or business impact. In the report, (which is used in a multitude of standards without anthe tester will be required to identify the symptomatic adequate definition of what it means or consists of)vulnerabilities (like a patch missing) as well as tie out the and what the purpose, value and components of asystemic vulnerabilities – a patch is missing BECAUSE Penetration Test are, PTES will increase the confidencethere are gaps in policy and procedure in x/y/z area which of customers and testers alike. For quite some timeallowed for the patch to not be now, organizations expectinstalled in a timely manner or Measuring detection and incident response is an the value of conducting awithin the specified time) integrated part of a penetration test Penetration test to be not It’s important to note that although there isn’t a much more than a rubber stamp on the audit report or adedicated section for detection and incident response, ticked checkbox on their compliance worksheet. PTESthe organizations capabilities to identify, and react to is attempting to increase that value and blow some windanything from the intelligence gathering, through the into the dwindling sails of what once was a critical partvulnerability analysis, exploitation and post exploitation of running a secure operations. In the modern daysis also put to the test. The penetration test includes where everyone being so easily hacked by an APT isn’tdirect references to such capabilities in each section (as it time our testers start acting like one? Or would youwell as in the reporting section), and can be extremely rather an Automated Penetration Test (APT) that youuseful to clearly identify the organization maturity in pay for and does not even attempt to learn WHY theyterms of risk management and handling. This provides are doing the test in the first place?IFTACH IAN AMIT CHRIS NICKERSONbrings over a decade of experience in Chris Nickerson, CEO of LARES, is justthe security industry, and a mixture of another Security guy with a wholesoftware development, OS, network bunch of certs whose main area ofand Web security expertise as Vice expertise is focused on Real world AttackPresident Consulting to the top-tier Modeling, Red Team Testing and Infosecsecurity consulting firm Security- Testing. At Lares, Chris leads a teamArt. Prior to Security-Art, Ian was of security professional who conductthe Director of Security Research at Risk Assessments, Penetration testing,Aladdin and Finjan. Ian has also held Application Testing, Social Engineering, Red Team Testing andleadership roles as founder and CTO Full Adversarial Attack Modeling. Prior to starting Lares, Chrisof a security startup in the IDS/IPS was Dir. of Security Services at Alternative Technology, a Sr. ITarena, and a director at Datavantage. Prior to Datavantage, compliance at KPMG, Sr. Security Architect and Compliancehe managed the Internet Applications as well as the UNIX Manager at Sprint Corporate Security. Chris is a member ofdepartments at the security consulting firm Comsec. many security groups and was also a featured member of TruTV’sIan is a frequent speaker at the leading industry conferences Tiger Team. Chris is the cohost of the Exotic liability Podcast, thesuch as BlackHat, DefCon, Infosec, Hacker-Halted, FIRST, author of the upcoming RED TEAM TESTING book published byBruCon, SOURCE, ph-neutral, and many more. Elsevier/Syngress and a founding member of BSIDES Conference. 01/2011 (1) April Page 7
  7. 7. HOW-TOOperationalizePenetration Testing Results Using Network MonitoringSoftware – All For FreeWe will model the results of a penetration test using network andapplication monitoring tools. The end result will be a dashboardshowing you the vulnerabilities that still exist and the onesthat have been remediated. This gives you a quick view of yourvulnerabilities and the speed with which they’re resolved.P enetration Testing these days is often done on • DVWA – Damn Vulnerable Web Application (http:// a one-off basis, meaning companies do them – once a month, once a quarter or once a year An intentionally naughty web application.and then never think about them again. I find that to • A Linux operating system. I used Ubuntu 10.10 forbe a shame and think that penetration testing can be everything, but you may use what you invaluable tool in vulnerability management whenperformed properly. You will obviously need network connectivity between One of my hobbies/passions/interests/whatever in the the machines and virtual machines are recommendedindustry is finding a way to effectively operationalize for this exercise. You will also have to be able to talksecurity. That is, moving security out of the this is to the web application on the desired ports (typicallytheoretically possibly realm and into the hey, we should ports 80, 443).fix this because it’s happening now realm. Part of Setting up these tools is beyond the scope of thisthis, I think, is finding a way to utilize the tools used article, but the installation documentation for all threeby our compatriots in the network and applications tools is excellent, plus there are LiveCDs for twomanagement domains. This article will use two very out of the three of them, so go ahead and get yourpopular (well... one very popular and one really- environment set-up.should-be popular) tools in the network monitoring and In our theoretical world, let’s pretend we just receivedapplication monitoring spaces respectively. This will a penetration test report that our web applicationgive us a way to display that the vulnerabilities from the (DVWA) has a weak password associated with it. Forreport still exist as reported and measure the response/ this example the login is admin/password. We beginremediation time. by using Webinject to test that the login does indeed work. This is done by creating a testcase in WebinjectTools Needed: language: see Listing 1.• Icinga ( – A fork of the The first test, cleverly given the id of ‘1’, verifies popular Nagios ( monitoring suite. that the login.php page loads correctly, we want to be• Webinject ( – A very sure it’s there before we try to login to it. The second powerful Perl script tool that allows you to build test test then posts our username (admin) and our weak cases for web applications. password to login.php and then verifies we can see 01/2011 (1) April Page 8
  8. 8. Listing 1. ---testcases.xml <testcases repeat="1"> <case id="1" description1="Load Login Page" description2="verify Page Loads" method="get" url="" verifypositive="Damn Vulnerable Web Application" /> <case id="2" description1="Verify Weak Login Works" method="post" url="" postbody="username=admin&password=password" verifypostive="Welcome to Damn Vulnerable Web App" /> </testcases>the content behind the login. We can further extend you on how fast vulnerabilities are getting resolved.this to test cases encompassing everything on our This can be a powerful tool in your arsenal and itreports. SQL Injections, XSS bugs, etc., can all be speaks the languages of your network and applicationmodeled this way and monitored for. The beauty of teams, as well as, articulating the vulnerabilities tousing Webinject is it allows us to use it easily as a your security team while, providing metrics for yournagios/Icinga plugin. Simply add <reporttype>nagios</ business team.reporttype> to config.xml and you will get nagios/Icingacompatible output. Now you could very easily be done at this point. Youhave some test cases to run that verifies the issuesfound in the report. You could put this in a cron jobthat emails you the status every couple of days andbe perfectly happy. However, with a little more work BILL MATHEWSyou can integrate this verification with Icinga and Bill Mathews is co-founder andthen have a near real-time dashboard showing the lead geek of Hurricane Labs,status of your remediation efforts. This integration an information security firmwill do a few things for you, most importantly, it will founded in 2004. Bill wroteprovide some perspective on how much badness this article while recoveringwas really found during your penetration test. It will from pneumonia so anyalso add some accountability as you can break up errors are purely the result ofthe dashboard by responsible groups. This way the medication. :-) You can reachserver administrators can see what is going on with Bill @billford on Twitter and bethe servers and the application team can see just the read other musings on http://applications. Finally, it can provide some reporting for 01/2011 (1) April Page 9
  9. 9. Say Hello to Red Team Tes�ng!Security Arts Red Team service operates on all fronts on behalf of the organiza�on, evalua�ng all informa�on security layers for possible vulnerabili�es. Only Red Team tes�ng provides you with live feedback on the true level of your organiza�onal security. Thinking crea�vely! That’s our approach to your test.Security Art’s Red-Team methodology Ready to see actual consists of: benefits from your next security review?1. Informa�on and intelligence gathering2. Threat modeling info@security-art.com3. Vulnerability assessment4. Exploita�on Or call US Toll free: 5. Risk analysis and quan�fica�on of 1 800 300 3909 threats to monetary values UK Toll free: 6. Repor�ng 0 808 101 2722
  10. 10. ������������������� ���������������������������������������������������������������� ����������������� ����������������� ������������ � ���� � ���� � � � � � � � ��� � � � �� � � ��� �������� � �� � �����������������������