Sql injection pen_test_07_2011_teasers

EDITOR’S NOTE
07/2011 (07)

Halloween injected!
The masquerade is on. Therefore, we’ve decided to bring
you a little longer edition of PenTest. This time 61 pages
about SQL Injection, Fuzzing and other interesting stuff. Let’s
than have a closer look at what we have prepared for you in
November’s edition.
We’re starting with the main topic – SQL Injection. Two
articles, but altogether 16 pages describing practical side
of this technique. First one, written by Sow Ching Shiong,
focuses on using Open Source and Free Tools for both
TEAM Windows and Linux. Second one, whose author is Christopher
Payne, will show you how to “inject your way to success”. The
Managing Editor: Maciej Kozuszek
maciej.kozuszek@software.com.pl author starts with a simple example of sql injection, describes
it’s various types and ends the article writing about defending
Associate Editor: Shane MacDougall
shane@tacticalintelligence.org against sql injection. This is injection of a really large dose of
Betatesters / Proofreaders: Davide Quarta, Rishi Narang,
knowledge. See for yourself!
Scott Christie, Ed Werzyn, Jeff Weaver, Aidan Carty In the next section of this issue we’ve decided to continue
the Fuzzing topic, as it occurred to be much broader field
Senior Consultant/Publisher: Paweł Marciniak than we thought. Here, you will find three papers written by:
CEO: Ewa Dudzic Mrityunjay Gautam, Jose Selvi, and Sagar Chandrashekar.
ewa.dudzic@software.com.pl The first one is devoted to the theory of fuzzing, but also
gives us some insight in some fuzzing tools, so it’s a great
Art Director: Ireneusz Pogroszewski introduction into two another articles. In the second one Jose
ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski is bringing us some useful information about not so popular
fuzzing tool called Sulley. And the last one is a thorough
Production Director: Andrzej Kuca description of another tool called WebScarab.
andrzej.kuca@software.com.pl
If you’ll jump to a page No 38, you’ll find yourself in third
Front page photo by: www.scribbletime.com section, Focus. This section is a continuation of a huge
Publisher: Software Press Sp. z o.o. SK article by Jonathan Brossard, where he describes a tool
02-682 Warszawa, ul. Bokserska 1 called Pmcma (Post Memory Corruption Memory Analysis).
Phone: 1 917 338 3631
www.pentestmag.com This one is aimed especially in those interested in reverse
engineering.
Whilst every effort has been made to ensure the high quality of The next article called Maximizing the Value of Pentesting
the magazine, the editors make no warranty, express or implied, is obligatory for all those who work in IT Security business,
concerning the results of content usage.
All trade marks presented in the magazine were used only for and especially for those conducting any forms of penetration
informative purposes.
tests or vulnerability assesments. This piece is a great talk
about the quality of services in this business, and how should
they be improved.
Finally at the end of this issue you will find an interview with
Dean Bushmiller, professional with a great experience and not
All rights to trade marks presented in the magazine are a lesser knowledge.
reserved by the companies which own them.
To create graphs and diagrams we used program Unfortunately this time our collumnist Shane McDougall
by couldn’t provide us with the article due to the unforeseen
circumstances. His articles will surely appear in the future
issues.
Mathematical formulas created by Design Science MathType™
We hope, you will find this issue of PenTest compelling and
worthful.
DISCLAIMER!
The techniques described in our articles may only Thank you all for your great support and invaluable help.
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss. Enjoy reading!
Maciej Kozuszek
& PenTest Team

07/2011 (7) November Page 3 http://pentestmag.com

CONTENTS

SQL INJECTION WebScarab is a framework maintained by OWASP. It helps
security engineers, developers to identify vulnerabilities
SQL Injection Pen-Testing
06
and bugs in web applications. It is written in Java, and is
by Sow Ching Shiong thus portable to many platforms. The author focuses on
SQL Injection is an attack in which the attacker describing how does the WebScarab Tool work like.
manipulates input parameters which directly affect
an SQL statement. This usually occurs when no input FOCUS
sanitisation is conducted. Depending on permissions, an
Introduction to exploit automation
38
attacker may be able to read database contents or even
write to the database. In this article, the author will show with Pmcma, Part II
you how to perform SQL injection pen-testing using open by Jonathan Brossard
source and free tools available for Windows and Linux. This year a tool called Pmcma (Post Memory Corruption
Memory Analysis) was released at the Blackhat US security
SQL Injection: Inject Your Way to
16
conference. The following article is an introduction
Success to Pmcma. The second part of the article describes
by Christopher Payne pmcma.c implementation, focusing on attacking function
Databases are the backbone of most commercial websites pointers, simulating arbitrary reads, detecting unaligned
on the internet today. They store the data that is delivered memory accesses and finally automating analysis and
to website visitors (including customers, suppliers, exploitation scenarios. The author made a serious efforts
employees, and business partners). Backend databases to provide you all the details concerning this tool, that
contain lots of juicy information that an attacker may be you might need.
interested in. Here the author makes a great introduction
into the art of SQL Injection. STANDARD
FUZZING Maximizing Value in Penetration
50 Testing
Fuzzing for Free by Ed Skoudis
24 by Mrityunjay Gautam The penetration testing business faces a great danger as
As a developer working on a product release, we tend more and more people jump into the field offering very
to re-use most of the legacy code from the previous low-value penetration tests that are little better than an
release and then work on the new features and bug-fixes automated vulnerability scan. In this article, we’ll discuss
only. As a QA resource, we would be using the same how to conduct your tests and write up results so that
“conformance test suite” or the same “stress test suite” they can provide significant business value to the target
to ensure that the new builds are working as expected. In organization. The author will surely convince you that
this article the author gives us the good insight into the the quality of your services is what really matters in this
theory of the art of fuzzing. business.

Fuzzing With Sulley INTERVIEW
28 by Jose Selvi
Interview with Dean Bushmiller
56
Can you write a simple python script? Can you understand
a network protocol and describe it using a simple object by Aby Rao
set? If so, you can find your own 0-day vulnerabilities! Dean currently consults on information assurance and
In this article we are going to describe how we can use operational security. Proving insecurity by penetration
Sulley Fuzzing Framework with a real vulnerable FTP testing is a natural part of consulting. He focuses on
Server. As it is mentioned above, the author presents you converting the business philosophy of „security is an
how to use the Sulley Tool. obstacle” to „security is a money maker”. He has served
on 6 beta testing teams. He is the subject matter expert
Fuzzing With WebScarab
32
on the 10 domains of the CISSP official curriculum. In this
by Sagar Chandrashekar interview Aby talks with Dean about his career, courses
In order to follow along with the fuzzing exercises in he’s leading and his statement about today’s security
this article, you will need a fuzzer and fuzzing target. business condition.
WebScarab will be our fuzzer and WebGoat web
application is our target. WebScarab and WebGoat can
be installed on both Linux and Windows machines.


SQL INJECTION

SQL Injection Pen-
Testing
using Open Source and Free Tools
SQL Injection is an attack in which the attacker manipulates input
parameters which directly affect an SQL statement. This usually
occurs when no input sanitisation is conducted. Depending on
permissions, an attacker may be able to read database contents or
even write to the database.

I
n this article, the author will show you how to perform The program is able to identify error and Boolean-
SQL injection pen-testing using open source and based SQL injection problems, as well as uncovering
free tools available for Windows and Linux.

SQL Injection Tools for Windows
Netsparker community edition is a powerful web
application vulnerability scanner, which can detect and
report potential website security problems and allow
you to resolve them before they are used by hackers.
Figure 3. Netsparker community edition successfully obtained the
version of back-end database

Figure 1. Netsparker community edition main screen

Figure 2. Netsparker community edition scan results Figure 4. Havij free version main screen


SQL INJECTION

SQL Injection: Inject
Your Way to Success
SELECT * FROM winners WHERE pentester = ‘YOU’ or 1=1--’
SQL Injection is one of the many web attack mechanisms used
by hackers to steal data from organizations. SQL Injection is one
of the most common vulnerabilities in web applications today.
It is (as of the time of writing) ranked as the top web application
security risk by OWASP[1].

D
atabases are the backbone of most commercial a myriad of user submit able forms and the delivery of
websites on the internet today. They store dynamic web content. Many of these features users take
the data that is delivered to website visitors for granted and demand in modern websites to provide
(including customers, suppliers, employees, and businesses with the ability to communicate customers.
business partners). Backend databases contain lots These website features are may be susceptible to SQL
of juicy information that an attacker may be interested Injection attacks and are good place to start during a
in. Data such as: User credentials, PII, PII, confidential pentest engagement that includes a web application
company information, and anything other data that a testing component.
legitimate user may need access to through a web
portal. At its most basic form, web applications allow A Simple SQL Injection Example
legitimate website visitors to submit and retrieve Take a simple login page where a legitimate user would
data over the Internet using nothing more than a enter his username and password combination to enter
web browser which allow the internet to be the giant a secure area to view his personal details or upload his
consumer market that it is. comments in a forum.
SQL Injection is the attack technique which When the legitimate user submits their information,
attempts to pass SQL commands through a web a SQL query is generated from this information and
application for execution by the backend database. submitted to the database for verification. The web
If not sanitized properly, web applications may result application in question that controls authentication
in SQL Injection attacks that allow hackers to view will communicate with the backend database through
or modify information from the database. The attack a series of commands to verify the username and
tries to convince the application to run SQL code password combination that was submitted. Once
that will result in access that was not intended by verified, the legitimate user should be granted the
the application developers. The attacker uses SQL appropriate access for their account to the web
queries and creativity to bypass typical controls that application.
have been put in place. Through SQL Injection, the attacker may input
Common web application features introduce the SQL specifically crafted SQL commands with the intent of
injection attack vector. These features include login bypassing the login form authentication mechanism.
pages, search pages, e-commerce checkout systems, This is only possible if the inputs are not properly


FUZZING

Fuzzing for Free
State of Art and Upcoming Research

As a developer working on a product release, we tend to re-use
most of the legacy code from the previous release and then work
on the new features and bug-fixes only. As a QA resource, we
would be using the same “conformance test suite” or the same
“stress test suite” to ensure that the new builds are working as
expected.

B
ut what troubles us the most is that some researchers. Here, in this article, we would discuss some
security researcher (or hacker, as some of state of the art open source tools which can be used for
us prefer to call them) sends an email to your fuzzing networks, files and activeX controls.
security response team telling about an exploitable Fuzzing is one of the most commonly used techniques
buffer overflow in your product. for identifying security flaws in any application. The entry
Some of us think that the researcher actually reversed points for user controlled or tainted data is identified in
engineered the code to find this issue; or he has access the application. These are files, registry entries, emails,
to some very specialized hardware and software to spot network sockets, activex controls, dll, etc, typically the
these issues. The reality is far more simple and cost- places where any attacker controlled data can enter
effective. In this article, we would talk about a few open into the system and the application starts processing it.
source tools which are used by security researchers to Fuzzers typically have a stored dictionary of strings and
spot vulnerabilities in our products even if they have integers which it uses at appropriate places iteratively. If
zero or a very minimal knowledge of the product. the fuzzer identifies some part of the input as a variable
string, it would try all possible values of strings from its
Introduction dictionary and further mutations of these strings. These
With companies like ZDI out there in the market to pay strings typically target standard vulnerability classes
for every vulnerability you find, the motivation to work like buffer overflow, format string vulnerability, directory
in security research has gone exponentially high in the traversal, sql injection, xss injections, command injections,
last few years. The model of payment by ZDI and many etc. All of these can be grouped as implementation level
similar companies is that, if you disclose an exploitable flaws only. Another class of vulnerability is design level
vulnerability to ZDI with its proof of concept (PoC), you get vulnerability. If there is a design flaw in a network protocol
paid anything from 5000 USD to 40000 USD depending which allows for a man-in-the-middle attack, it can never
on the width of deployment of the product targeted and be detected by a fuzzer. Hence, by definition, fuzzers are
the severity of the issue. Hence, if you can compromise intended to target implementation level flaws only.
a machine by exploiting some product on it from the
network, the money you get it quite decent. Hence, Network Fuzzers
the general interest in identifying network, file and web One commonly targeted attack surface is network
based vulnerabilities is consistently growing amongst the protocols. In the industry, we either have implementation for


FUZZING

Fuzzing With Sulley

Can you write a simple python script? Can you understand a
network protocol and describe it using a simple object set? If so,
you can find your own 0-day vulnerabilities!
In this article we are going to describe how we can use Sulley
Fuzzing Framework with a real vulnerable FTP Server. Check it, try
it on your own software, and... enjoy, of course.

F
uzzing is a technique used in software security Sulley provides the tester with a... powerful framework
testing in which lots and lots of abnormal input where he can describe, using a simple grammar, the
data are sent to the software, in order to produce protocol to fuzz, and then the framework generates a
errors in normal software operation. complete set of tests based on mutations of the given
Since a software error is usually a potential security grammar. Each test of this set is checked against
threat, Fuzzing is a great technique to detect security the fuzzed software, while other components of the
flaws. Fuzzing is usually used by attackers in order to framework are monitoring all processes and network
discover unknown vulnerabilities, but also can be used events related with each test.
by security staff or software deverlopers, in order to test When an abnormal response happens, Sulley
their software strenght against this kind of attacks. Framework stores all data related to the crash, so the tester
has all the information regarding the CPU registers, stack,
Sulley Fuzzing Framework network, and much more. It can be very useful in order to
Sulley is an Open Source project, written in Python, that understand the weakness and correct (or exploit) it.
try to be a new standard in fuzzing software.

Figure 1. Sulley from Monsters Inc. Figure 2. Sulley Architecture


FUZZING

Fuzzing with
WebScarab
Although there are ample techniques to identify vulnerabilities
in software, fuzzing is the best technique as it is cost effective
and enhances software security as it often finds odd lapses and
vulnerabilities through automated or semi-automated process
followed by manual expert reviews.

F
uzzing is all about finding vulnerabilities or errors There are different fuzzing methods depending on how
in applications, operating systems and networks the fuzzer is used depending on the input parameters.
by injecting large amount of arbitrary data, called
fuzz. A Fuzzer is a tool which successively picks a Session Fuzzing
value from a fuzz template to replace user-specified Session fuzzing involves analysis of valid sessions of
parameters in a request sent to the server. Response the application or the server. During fuzzing, preferred
from the server is manually reviewed to identify parameters or parts of the session are altered and sent
vulnerabilities or errors. to the server or application. Since this method enables
fuzzer tool to change data that already exists, it is
Introduction To Fuzzing possible that the application will go into an uncertain
Why fuzzing? Where does it fit? What are its state which results in a security vulnerability.
limitations? Example: Incrementing session ids of a web
Vulnerability scanners are imprudent; they discover application.
known security issues and other low hanging fruit.
Fuzzing along with penetration testing covers this gap Explicit Fuzzing
and discovers unknown vulnerabilities. Fuzzing is one Explicit fuzzing involves building of specific fuzzing
of the techniques for automating security assessment. tools for specific applications or servers. It is possible
to enumerate the target which may go into an uncertain
Fuzzing Overview And Requirements state which results in a security vulnerability.
Fuzzing enables security engineers, developers and Example: Fuzzing FTP server with FTP Fuzzers.
testers to locate defects, errors, and vulnerabilities
produced by abnormal values via user inputs. Fuzzing Generic Fuzzing
covers the vital attack surfaces in a system fairly well, Generic fuzzing involves tool analysis to identify
identifies many common errors, probable vulnerabilities vulnerabilities on array of protocols, but they are not as
quickly and economically. Fuzzing is useful in evaluating efficient as explicit fuzzing. Generic fuzzing involves lot
black box systems, as it does not involve any access to of manual inputs from the users and only experienced
source code and can be performed without knowing the users can able to use these types of tools.
inner mechanism of the target system. Example: Protocols Fuzzing Tools such as Spike


FOCUS

Introduction to
Exploit Automation With Pmcma (Part II)

Earlier this year, we released a tool called Pmcma (Post Memory
Corruption Memory Analysis) at the Blackhat US security
conference. The tool is available free and open-source at http://
www.pmcma.org/ under the Apache 2.0 license. The following
article is an introduction to Pmcma. In addition advanced readers
can refer to the full Blackhat whitepaper mirrored on the Pmcma
website[0].

T
he second part of the article describes pmcma.c write condition), and an other (either the process exit, or
implementation, focusing on attacking function the return to this very same instruction in case of loops).
pointers, simulating arbitrary reads, detecting To detect those, we’re going to use the mk_fork()
unaligned memory accesses and finally automating technique. The algorithm is as follows: see Listing 3.
analysis and exploitation scenarios. To the best of my knowledge, this is the first proposed
technique to exhaustively enumerate all the function
Attacking Function Pointers pointers inside a process between two points in time.
Now that we have a way to experiment on various By default, pmcma uses the valid 0xf1f2f3f4 as a
modifications of a given process’ and address space, remarkable value, which is obviously never correct from
how do we find function pointers? Well, let’s get back userland, and is quite remarkable, hence limiting false
to the definition of a function pointer... It is a variable, positives. This value can be changed from the command
hence in a writable section, which points to a function. line. Let’s see how this would work inside pmcma on a
The majority of times a function starts with a standard simple example, by listing the function pointers from a
epilogue. And they all are in executable sections. given point in /bin/su: see Listing 4.
So what we do (in pseudo code) is: see Listing 2. So using the strict mode, we found 0 potential function
Two things are worth mentioning: first of, we may miss pointer to overwrite: Fortunately, in such a case, the
a few pointers if we use this algorithm, because some application will then try the relaxed mode: see Listing 5.
functions may not start with a standard prologue. This was We found 5 function pointers that are actually being
anticipated, and pmcma allows to test all of the pointers to dereferenced by /bin/su before exiting. To verify we
+X zones pointing to a valid assembly instruction just by actually got something relevant, we can read the
passing it the –relaxed flag. This is very time saving and message logs from the kernel:
works well in practice though. Secondly, the list of pointers
we get this way (by a pure static analysis) is w list of _ jonathan@blackbox:~$ dmesg |tail -n 1
potential_ function pointers. They may just happen to be
variables to luckily point to a valid function’s entry point. [ 7472.786312] su[20879]: segfault at f1f2f3f4 ip
More importantly, it doesn’t give us the list of function f1f2f3f4 sp bfcab4e8 error 15
pointers actually being dereferenced between a given
point in time (eg: the one where we found, say, an invalid jonathan@blackbox:~$


STANDARD

Maximizing Value in
Penetration Testing
The penetration testing business faces a great danger as more
and more people jump into the field offering very low-value
penetration tests that are little better than an automated
vulnerability scan. In this article, we’ll discuss how to conduct
your tests and write up results so that they can provide significant
business value to the target organization.

I
f you are an in-house penetration tester in an results that make an effective argument for changing
enterprise, providing more business value through things in their environment.
your work can help improve your job security in a Although there is, sadly, a distinct market segment of
tumultuous economy, and, better yet, may help you enterprises that desire the RCPT, other organizations
land that fat raise you’ve been hoping for. If you are a demand more business value for the penetration
third-party penetration tester, providing more business testing expenditures, as they should. As a penetration
value can lead your career to the point where you will tester, yes, you could take the easy way and deliver
command a higher bill rate. What’s not to like? low-quality results from low-quality tests, catering
I read a lot of penetration testing reports. In my work to the RCPT market. But, I’m hoping you’ll strive to
as an expert witness analyzing large-scale breaches, I’m do better. I strongly believe that it’s in all of our best
regularly called upon to look at the previous five years of interest to do so. If the RCPT comes to dominate and
penetration testing and vulnerability assessment reports tarnish the definition of a penetration test, we’ll all be
of a large number of companies. Also, in my own pen worse off. Fewer organizations will want to employ us
testing work with my team, I review many of my team’s for the high-quality work we all love to do.
reports, as well as take a critical eye to my own reporting The folks working on the Penetration Testing
output, always with the goal of making our results better Execution Standard (PTES) have done some fantastic
and more meaningful. In any given week, I read between work in defining procedures for conducting thorough,
two and five pen testing reports, and I spend a lot of time high-value penetration tests, and I celebrate their work.
thinking about their effectiveness. What I’d like to focus on in this article, however, is tips
And, I’ve got to tell you, a lot of penetration testers for helping to maximize the business value of your
generate absolutely horrible reports. Some of them penetration testing results, especially in the report itself.
are little more than regurgitated vulnerability scanning Look, most penetration testers can scan and exploit a
results, all packaged up and labeled as Penetration Test target environment. But what really differentiates the
Results. Admittedly, some organizations desire what I best of the best from the merely good is the ability
like to call the RCPT, the Really Crappy Penetration to provide value and drive change that helps an
Test. That is, they want to procure a test so that they organization improve its security stance. That has to be
can check off a compliance box saying that they got our relentless focus, as we strive to avoid the pit of the
a penetration test, but the last thing they want is test RCPT.


Keeping the Main Thing the Main Thing: It’s even that very important level of access is still a means
Not All About Shell or Even Domain Admin… to the end of demonstrating business risk. Decision
It’s Really About Business Risk makers in management of the target organization likely
As penetration testers, our hearts dance when we pop will not understand the risks they face if their penetration
a target box, getting that much-coveted shell access testers tell them that an attacker can conquer shell
to the machine. You know it and I know it. But please on a machine or even Domain Admin rights on their
realize that merely compromising machines actually Windows environment. The penetration tester who
isn’t the ultimate goal of your work. It’s a means to can show the implications of this access, such as the
an end. The end is to determine the business risk the ability to access millions of sensitive healthcare records
organization faces in association with the vulnerabilities or control systems that contain vital trade secrets, will
you’ve discovered. As you conduct a test, and especially provide so much more value.
as you prepare the report, make sure you always keep Joshua Jabra Abraham has written convincingly about
the main goal in mind: to determine, demonstrate, and goal-oriented penetration testing, in which a penetration
explain the risk to the business, as well as methods for tester focuses on achieving certain goals beyond
mitigating that risk. discovering vulnerabilities in a target environment.
One item in which some penetration testers fall short Abraham cites goals such as remotely gaining internal
in determining business risk involves a view of a target system access, gaining Domain Admin access, and
environment as just a group of individual machines. gaining access to credit card information. I strongly
Once they’ve gotten shell on one of them, such pen support the idea of goal-oriented testing, and urge
testers figure that they have a high-risk finding, and penetration testers to work with target system personnel
they call it a day. The real bad guys don’t do it that to define their goals in terms of business issues (not just
way. That initial compromise is the toe in the door, technical achievements) that are important to the target
and they view the entire group of machines and the organization.
network itself as their target. The real bad guys, whose When initially scoping a penetration test, make sure
work we need to mimic to understand business risk you ask target system personnel what their most
properly, pivot mercilessly, bouncing from that initial important information and processing assets are, and
compromised machine to other machines in the target what their nightmare scenarios for computer attacks
environment. might be. Sometimes, you may have to stretch their
Pivoting through a target, some penetration testers minds a little bit about what an attacker could actually
set their sites on seemingly very juicy prey: Domain do. Have an open and honest discussion about the
Admin rights in a Windows environment. But, honestly, possibility of economic loss (due to down time, stolen

��
��
��
��

��
��
��

��
� ��
��

��
� ��
��

��
��
� ��
��

��
��
��
��
��

��

Figure 1. Pen Tester C Has De�ned Business-Centric Goals that Go Beyond Shell and Domain Admin


STANDARD
money, diminished competitive advantage through showing business risk by gaining access to sensitive
stolen trade secrets, etc.), regulatory and compliance trade secrets instead of just technical dominance of
oversight (if a breach were to occur and government the target environment.
investigators were to come a-calling), lawsuit
possibilities from customers or business partners, Remember Who Your Primary Audience Is…
brand/reputation tarnishment, and physical threat to Not Other Pen Testers
life and limb. In a frank discussion about these points, Many really skilled penetration testers write their reports
I often ask target system personnel, What keeps you so that they will impress people like themselves, that is,
awake at nights in terms of computer attacks? This isn’t other penetration testers. I am often tempted to do this
about spreading Fear, Uncertainty, and Doubt, the lame myself, as I get into a mindset of I want to knock the
FUD used to scare people into better security practices. socks off of other penetration testers with the amazing
Instead, this is about an honest view of security risks work I did here, so I’m going to describe it all in terms
and how a penetration test can help determine how that pen testers will understand and get excited about.
realistic those risks are. While the temptation is understandable, it should be
For example, I was once discussing with a avoided. Impressing other penetration testers shouldn’t
manufacturing company their biggest worries about what be the real goal of our reports, as they aren’t the
an attacker could do in compromising their computing audience that will allow us to provide the most business
infrastructure. They were focused on whether a bad value in our reports.
guy could deface their website. I asked them whether Who is? For your executive summary, decision
they thought about an attacker who got access to their makers are. These people can allocate resources to
internal environment and stole their sales contacts, help alleviate the issues you’ve discovered if you can
swiped their future product plans, or gained control of make a convincing business-centered point to them.
their manufacturing equipment controls causing it to The remainder of your deliverable, however, should
malfunction or shut down. Are those things possible? be written with an eye toward providing maximum
they asked. Let’s structure a penetration test so we can value to the enterprise security professional and
carefully see if they are, I responded, as we set more the operations team. Phrase your discussion
business-centric goals for the test. and recommendations so that they help security
Consider the three penetration tests illustrated in people and system administrators implement your
Figure 1. In the first test (indicated by Pen Tester A recommended fixes. How? That’s what Tips number 3
with green text and arrows), the penetration tester and 4 are all about.
gets shell access on a target machine and reports
that a critical exploitable vulnerability was discovered, Provide the “How-To” In Your
but stops there. In the second test, Pen Tester B Recommendations
(whose work is illustrated by text and arrow B in In your recommendations for remediation, don’t just
blue) has gone deeper than the first tester, pivoting describe at a high-level the changes that need to be
after exploiting the initial flaw, by dumping hashes, made, but instead, include a practical step-by-step
conducting a pass-the-hash attack, and gaining
access to a machine with a Domain Administrator
token on it. This tester then seizes the Domain Admin
��
token, and writes up the results in a report, claiming
victory due to Domain Admin compromise. Pen Tester
B has certainly demonstrated some risks associated
with the original flaw better than the first pen tester.
��

But, it isn’t until we get to the third penetration tester,
Pen Tester C, shown with red arrows and text, who �
continues pivoting even after gaining Domain Admin
privileges, getting access to a machine with highly
sensitive trade secrets. This third penetration tester
will be able to best express the risk the organization
faces due to the collective flaws in its environment,
and make the best argument to management for ��
action. Note that not only does Pen Tester C pivot Figure 2. Different Styles of Recommendation Carry Different Levels
more than A or B, but Pen Tester C is also focused on of Business Value (and Risk of Something Going Horribly Wrong)


description of how to implement your recommended every finding? In many enterprises, a penetration test
change. Provide command-line or GUI screenshot report is split up among multiple groups or individuals,
examples that show how to make your recommended with each group assigned tasks to fix a subset of
changes. findings and receiving only the pages corresponding
Consider a straight-forward sample finding that many to their actions. If you include that text with only one
network penetration testers encounter, illustrated in finding, another group may get a separate part of
Figure 2. Suppose the target organization has internal the report, and not see the vital caveat you included
Windows machines that support NTLMv1, an older, in another section of the report. Does this get
weaker form of Windows authentication. A fairly low- redundant? Yes, but that redundancy is the price of
value finding would involve copying and pasting the reducing risk.
result from a vulnerability scanner recommending that
the target organization move to NTLMv2. But how? Provide the “How-To-Check-Remediation” In
A bit higher-value finding would tell the target Your Recommendations
organization to set the HKEY_LOCAL_MACHINESYSTEM Now, here’s a real gem that can help differentiate your
CurrentControlSetControlLSALMCompatibilityLevel registry penetration testing results and significantly increase
key value to 5 for servers. Such a recommendation is their value. In your recommendations for remediation,
certainly better than just saying to move to NTLMv2, include not only the how-to for implementing the fix,
but it still leaves open some questions of how target but also include a description of how the organization
environment personnel can do this. can verify that the remediation is in place. That way,
A higher-value finding might include information they can have some level of assurance that the fix is
about running a command such as the following on the working. The how-to-check description may be prose,
discovered impacted servers, which will alter the given but I like to go further, providing one or more command
setting to the recommended value: lines, GUI screenshots, or tool configurations that do
the job of verifying the efficacy of the remediation. You
C:> reg add hklmsystemcurrentcontrolsetcontrol lsa should write such recommendations so that they can
/v lmcompatibilitylevel /t REG_DWORD /d 0x5 be carried out by a skilled security professional or a
very knowledgeable system administrator, but don’t
To provide even more value, you can include a write them in a manner that only other penetration
walk-through of how to implement this finding using testers would be able to perform your recommended
Group Policy and then apply it to an entire Windows actions.
environment. The bottom line here is to always look For some findings, including a checking step is
at your recommendations, and see how well you’ve trivially easy. Consider the NTLMv2 recommendation
answered the question, But how? discussed earlier. You could add the following to that
I know what you are thinking. At this point, you are recommendation, significantly improving its value:
likely concerned that the more detailed you get with You can check this setting by running the following
your recommendation, the more risk that target system command:
personnel will blindly follow it, potentially wreaking
havoc in a production environment. This concern is C:> reg query hklmsystemcurrentcontrolset control
quite valid, and must be managed in the report itself. lsa /v lmcompatibilitylevel
That’s why I like to include language with every single
finding that says: You should verify that its output is 5, an indication that
These changes are based on their applicability to numerous the system is configured to use NTLMv2.
environments, but could have unknown consequences in this For small tweaks to configuration or the application
particular environment. For that reason, any recommended of various patches, Windows commands such as reg,
changes should be evaluated in a test environment first, wmic qfe, and wmic product are especially helpful. On
and then rolled out through proper, formal change control Linux, you’ll often rely on cat, grep, rpm, and running a
processes. If you do not test these configurations in an program with the –version option as a check.
experimental environment, they could result in downtime or For more complex recommendations, crafting a
other damage to a production environment. checking step that is suitable for non-penetration
testers can be much more of a challenge. For
I like to put this text in bold face font and italicize it example, writing a procedure to test whether Cross-
to emphasize its importance. I include it with every Site Scripting (XSS) defenses have been implemented
finding that requires a change of configuration. Why at first seems very difficult. If you suggest that they try


STANDARD
to enter certain specific test XSS strings to evaluate Prioritize Your Findings Carefully According
their newly implemented filters, it is quite possible to Impact and Probability of Exploitation
that the filters remove only the specific test strings The vast majority of penetration testing reports that
you’ve provided! The organization would then have I read prioritize finding based solely on whether the
a false sense of security, as other XSS strings would issue is high, medium, or low risk. While such rankings
still work against the target application. That’s why I’ll do provide a broad signal to decision makers and
sometimes craft my verification process around the technical personnel about where they should focus
running of a given tool with a specific configuration. their remediation activities first (high-risk items), the
So, for XSS, I’ll suggest that the organization run a so-called “HML” (High-Medium-Low) mechanism often
particular free XSS scanning tool that I know will put lacks the granularity many organizations need for
the application through its paces and give a reasonably prioritization with the high-risk category itself. That’s
good read on whether they have defended against why I recommend categorizing risks according to both
XSS more comprehensively than by just filtering a few their potential impact as well as their probability of being
test strings. successfully exploited. That way, organizations can get
When I first proposed adding these checking a better feel for the risk factors and focus their efforts
recommendations to our reports, some folks at the on items that are simultaneously high impact and rather
penetration testing company where I worked protested, likely to be exploited.
saying that this will lengthen the report writing time and Of course, there are far more complex methods
drive up our costs. But, I’ve found that adding this extra for assigning risk levels to discovered flaws, such as
information really only requires a few minutes for each the Common Vulnerability Scoring System (CVSS)
recommendation, and lends itself to templatization. It developed by FIRST. While CVSS is an excellent
may mean that your reports take ten percent longer to method for detailed analysis of flaws, some penetration
write, but their value to target system personnel will be testers find that its complexity and precision make it
significantly greater. difficult or costly to use in routine penetration testing.
At first blush, third-party penetration testers who do I’ve found that categorizing issues according to impact
assessment projects for other enterprises may think that and probability to be a happy medium between the too-
this recommendation will cost them future remediation simple HML approach and the more complex CVSS
verification work. That is, if you tell your customers how scheme.
to check their own remediation in your report, they’ll be In your executive summary at the start of a
less likely to come back to you for a retest to verify their penetration testing report, it can be useful to provide
fixes. While that is certainly true, quite honestly, retest a graphical summary of discovered issues according
work focused on verifying fixes tends to not be terribly to their relative importance to the organization. For
interesting, nor financially lucrative. I’d rather provide as HML-style findings, many penetration testers just cut
much value up front as I can, with the knowledge that and paste a bar chart showing the relative count of
I’m helping to cement the customer relationship for their
next real penetration test. ��
��

�

�
��

�
��
��
��
�
��

��
��
��
��
��

��
��
��
��
��
��
��
��

Figure 3. A Traditional Bar Chart Used with the HML Model Doesn’t Figure 4. A Matrix Showing Impact and Probability, with Circle Size
Convey Very Much Information or Business Value Indicating the Number of Each Type of Issue


high, medium, and low-risk issues discovered, which
doesn’t really convey that much information or value,
as shown in Figure 3.
Going beyond the simple bar chart, our team has
had a lot of success in showing a graphical summary
of discovered issues based on impact and probability
of successful exploitation using a multi-dimensional
graph, such as that shown in Figure 4. Here, we have
a matrix with the probability of successful exploitation
running along the X-axis, and the potential impact
going up the Y-axis, with a relative ranking of 1 to 5.
Note that we indicate the relative number of issues
discovered at each intersection by including a circle
whose area corresponds to the number of findings
there. A bigger circle indicates that the pen test team
identified more instances of this kind of finding. We
have had several customers tell us that this kind of
chart provides a more meaningful summary of our
results, and allows decision makers to more quickly
understand results and assign resources necessary
for remediation.

Conclusions
It is important to note that all of the recommendations
I’ve described here presume that you perform excellent
technical work. You must continuously strive for that.
Then, to add that final polish to your results, apply one
or more of these tips to maximize the business value of
your work.
We’ve discussed several different approaches for
providing significantly more value in your penetration
tests. Now, I’m not expecting that every reader will
follow every single tip here. But, I do hope that you’ll
incorporate at least one or two of these practices,
helping to drive up the business value of the work you
do. Working together to help define and provide high-
value penetration testing will help our industry avoid the
valueless death spiral of the Really Crappy Penetration
Test.

ED SKOUDIS
SANS Fellow and Pen Test Curriculum Lead
Author of SANS 504 and 560 Courses
Founder, Counter Hack Challenges

07/2011 (7) November http://pentestmag.com

INTERVIEW

Interview with
Dean Bushmiller
Dean currently consults on information assurance and
operational security. Proving insecurity by penetration testing
is a natural part of consulting. He focuses on converting the
business philosophy of „security is an obstacle” to „security is a
money maker”. He has served on 6 beta testing teams. He is the
subject matter expert on the 10 domains of the CISSP official
curriculum. Dean has been teaching on-line for 7 years and face-to-face for 11. As a non-military
person, Dean Bushmiller is a proud Recipient of 5 mission coins for preventing deer in the
headlights look.

Can you tell us a little bit about yourself This is a two-part question: You offer
and how you got involved in the field of Penetration Testing consultation in addition
Information Security? to Security Education, how do you divide
DB: It is odd how I got into security; I backed my your time between the two, and does one
way into Information Security from training. I was a play any role in the other?
technology trainer back when Windows 95 had major DB: As far as the task at hand, it depends on the year,
problems with basic print processing. Explaining why it but it averages out to 50/50. I really like consulting
worked and how it worked seemed easy to me. I could by referral from my students. They know my way of
read the big thick book and relate it to people. My doing things and appreciate it. As far as mental focus,
customers said, hey you can teach. I started to teach it’s never really divided, you know? The roles blend
technology and people would ask crazy questions. together quite nicely! I learn from everything I get to
One student decided to test me and started asking do and always try and bring it to the next experience.
questions from the then CD version of Microsoft’s Students in the classroom bring me new tools that I
Technet. I just kept on answering until he was bored. have never heard of before. As they are doing their
Then students started to ask me how to solve real homework, I am doing mine. Playing with that new
problems they were having. It seemed logical to tool, reading that book they talked about. I have a
look at packet traces and ask about protecting the big lab environment in my office, every version of
resources. I did my investigations for a few years, every operating system I can get my hands on built
helping people with bigger and bigger problems. Once up so I can test tools. Things that I learn in the field
while on a customer site, some guy was looking over make the training richer and deeper. Sometimes you
my shoulder and said in a very accusatory tone, What can read the things you need in books. Sometimes
are you doing? After I explained, he said that was a it takes doing it over and over, optimizing until it is
security problem not a technology problem. Stay out just right. And sometimes you create a great lesson
of the security! I did not know there was a distinction. I out of thin air. That creativity is the spark that keeps
thought all computing was computing and security was both the classroom and the consulting working well.
just another part. That is when I realized I had been in I am answer driven. I don’t care what the answer is;
the Information Security field for about three years. I I just want it so I can get to the goal of securing the
started doing more formal focused work and study in environment. If the client is wrong or I am wrong, who
the security field and here I am. cares? Let’s just get to the answer so we can fix it.


In the Upcoming Issue of

Client Side Exploits

Available to download
on December 2nd

Soon in Pentest!
• Ric Messier – Stealth Testing Using NMAP
• Aniket Kulkarni – Fuzzing Internals – Craft it!
• Nimrod Ben-Em – What XSS can’t do for you?
• Tal Null – Session Puzzling

and more...

If you would like to contact Pentest team, just send an email
to en@pentestmag.com. We will reply immediately.

Sql injection pen_test_07_2011_teasers

Sql injection pen_test_07_2011_teasers

Recommended

Recommended

More Related Content

Similar to Sql injection pen_test_07_2011_teasers

Similar to Sql injection pen_test_07_2011_teasers (20)

More from Amiga Utomo

More from Amiga Utomo (9)

Sql injection pen_test_07_2011_teasers