I Hunt Penetration Testers!

Similar documents
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Penetration Testing Using The Kill Chain Methodology

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

STABLE & SECURE BANK lab writeup. Page 1 of 21

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Ethical Hacking as a Professional Penetration Testing Technique

Taxonomic Modeling of Security Threats in Software Defined Networking

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Vulnerability Assessment and Penetration Testing

CYBERTRON NETWORK SOLUTIONS

Penetration Testing Walkthrough

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Learn Ethical Hacking, Become a Pentester

APPLICATION SECURITY AND ITS IMPORTANCE

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Penetration Testing for iphone Applications Part 1

Application Security in the Software Development Lifecycle

Where every interaction matters.

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Windows Remote Access

Penetration Testing with Kali Linux

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Check list for web developers

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Auditing the Security of an SAP HANA Implementation

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Penetration Test Report

Project 2: Web Security Pitfalls

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

That Point of Sale is a PoS

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Hack Proof Your Webapps

The Key to Secure Online Financial Transactions

Threat Advisory: Accellion File Transfer Appliance Vulnerability

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

TUNNA. A tool designed to bypass firewall restrictions on remote webservers. By: Rodrigo Marcos Nikos Vassakis

10 best practice suggestions for common smartphone threats

WHITEPAPER. Nessus Exploit Integration

Locked Shields Kaur Kasak 24 Sept 2013

Security A to Z the most important terms

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

RMAR Technologies Pvt. Ltd.

Post-Access Cyber Defense

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

WHITE PAPER Usher Mobile Identity Platform

How To Manage Security On A Networked Computer System

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

Bomgar Corporation. Bomgar Application Security Assessment Summary January 26, This document is the property of Bomgar Corporation.

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Potential Targets - Field Devices

Thick Client Application Security

Web Application Security

Shell over what?! Naughty CDN manipulations. Roee Cnaan, Information Security Consultant

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Protecting Your Organisation from Targeted Cyber Intrusion

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

How To Classify A Dnet Attack

MaaS360 Mobile Enterprise Gateway

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

INSTANT MESSAGING SECURITY

Cyber Essentials. Test Specification

Web application testing

MaaS360 Mobile Enterprise Gateway

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

The Hidden Dangers of Public WiFi

How To Protect A Web Application From Attack From A Trusted Environment

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

2012 Data Breach Investigations Report

Firewalls and Software Updates

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Internal Penetration Test

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Project X Mass interception of encrypted connections

How to hack a website with Metasploit

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

PowerShell. It s time to own. David Kennedy (ReL1K) Josh Kelley (Winfang) Twitter: dave_rel1k

Certified Ethical Hacker Exam Version Comparison. Version Comparison

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

Web application security: automated scanning versus manual penetration testing.

Transcription:

I Hunt Penetration Testers! More Weaknesses in Tools and Procedures Wesley McGrew, Ph.D. Distributed Analytics and Security Institute Mississippi State University http://mcgrewsecurity.com wesley@mcgrewsecurity.com @mcgrewsecurity

Introduction Wesley McGrew Distributed Analytics & Security Institute, Mississippi State University Halberd Group Vulnerabilities, Reverse Engineering, Forensics, Cyber Operations @McGrewSecurity wesley@mcgrewsecurity.com

What we re talking about today Operational Security for Penetration Testers (whilst trying to not rip off The Grugq) Communication and Data Security Issues (not just bugs ) Illustrating and Classifying Risks Posed by Your Tools Recommendations For penetration testers and those who hunt them

Previously

Previously

Previously @IHuntPineapples

Value of Pen Testing Data Awareness/Understanding of Risk/Vulnerabilities

Counter-Intuitive Penetration testers, presumed experts of offense, largely aren t mindful of their own security. Reasons Training - Classes, books, certifications Toolchain maturity Lack of documented incidents

When we lack the capability to understand our tools, we operate at the mercy of those that do.

Assumptions Regarding Realistic Attacks An attacker may operate with sophistication, skill, and resources that exceed that of the targeted pentester (Maybe this work can repair the imbalance) May be positioned physically/network-wise convenient for interception and modification of traffic MiTM may not be feasible for general skiddie schemes, but makes sense in this context

Goals Victimology: Is the ultimate target The penetration tester? Firm information used for fraud Sabotage The client(s)? Sensitive information Vulnerabilities Persistence Embarrassing leak (zf0-esque)

Why this is attractive Penetration tester exist outside of the client s culture/structure yet wind up with extensive access break technical/policy measures, by definition already ought to look like good attackers, why not ride along? Theft of tools and techniques (if they re any good) Private exploits, feeds, commercial tools Hide bugs from testers, prevent identification/remediation Smoke screen

Operational Security Issues Standalone Exploits Payloads Rarely annotated, testers frequently not trained in disassembly/ comprehension Frequently acquired in desperation, wielded without discretion Each encoded string and payload represents a part of the exploit s code that the penetration tester must either fully understand or place trust in by association with its source. Trust decision forced by he lack of training and skill in programming, vulnerability analysis, and exploit development among penetration penetration testers.

Operational Security Issues From an early draft Many websites where exploits are distributed, including the popular Exploit Database, operate over plaintext HTTP, which would allow an attacker in the right position to man-in-themiddle rewrite or replace exploit code being downloaded by penetration testers. This is no longer true for exploit-db.com! Kudos!

Operational Security? Exploitation How to compromise a system, without everyone knowing how you compromised the system? How to prevent them from modifying your payload? Tunnelling to dropped/installed appliances to reduce exposure?

Metasploit, The Gold Standard Most versatile free payload: Meterpreter Supports encryption since 2009 Primarily for evasion? How to establish keys, secure communication against an attacker who gets involved EARLY in the process?

Extending the Network Low-power physical implants Rogue WiFi Cellular Data SMS Are out-of-band extensions opening up attack surface/ intercept opportunities?

Data at Rest Exfiltrated data, information for reports what are you storing? Where is it located? Implanted devices? Physically secure? Data encrypted? If volume-based, how much time does it spend unlocked? Where are the keys? Who has access? Secure deletion? When?

Point of Contact Communications Communications Scoping Emergency contacts during tests Report delivery

Classifying Tool Safety Dangerous - May cause vulnerability. Known vulnerabilities, or communications clearly subject to interception/modification Use With Care - Defaults that lead to Dangerous situation, but can be configured in a way that mitigates risk Naturally safe - Defaults to secure communications, safe for normal use cases Assistive - Non-penetration-testing attack tools, but can be utilized to help with concerns above Imperfect: Ex. so few pentesting tools protect saved results, it isn t even considered here

Example: Tools in Kali Tool Classification Rationale BeEF sqlninja dirbuster searchploit Metasploit exploitation with Meterpreter payload SET with Meterpreter payload cymotha nc Dangerous Use With Care Use With Care Assistive Use With Care Use With Care Dangerous Dangerous Default pen tester interface is HTTP listening for connections from anywhere, with a default username and password. Recommend at least configuring/firewalling it to only listen on the localhost (or specific remote ones), changing passwords in the config file. Hooked clients communicate with the server via unencrypted HTTP, which may be unavoidable. This is incredibly useful software, though, just be very careful with where it s deployed and where the hooked clients are. Interacts with the target database over a vulnerable web application, so communications-wise you re at the mercy of the target application being accessible over HTTPS. Be mindful of where you launch this from when targeting HTTP-only apps. This classification could be valid for nearly any scanning software. If pointed at unencrypted services (in this case, HTTP), then your findings are essentially shared with anyone listening in. By providing a mechanism for searching a local copy of the Offensive Security Exploit Database acquired as a secure package that would otherwise be accessed through the non-https exploitdb.com, this tool provides a set of standalone exploits that have gone through at least some vetting. Metasploit has a lot of functionality, but specifically for launching an exploit and deploying a meterpreter payload, the communication channel is fairly safe. An attacker may be able to observe and conduct the same attack, though. Similar rationale as Metasploit. The resulting channel is safe, unless you are hijacked on the way there. None of the provided injectable backdoors offer encryption. Could potentially modify this to include some more robust backdoors, or use the script execution backdoor to configure an encrypted channel. Good old vanilla netcat, like your favorite book/trainer taught you, gives you nothing for communications security. ncat Naturally Safe Netcat, but with SSL support that one can use. You ll need to set up certificates for it.

Security of Implantable Devices Pwnie Express Pwn Plug 1.1.2 Pwn the Pwn Plug - DEF CON 23 Crafted packet > XSS > CSRF > Command Injection Hak5 WiFi Pineapple Mark V <2.0.0 Authentication bypass Recent improvements Clone devices: WORSE Inherent problems with low-powered penetration testing devices

New Pineapple Stuff Come to the talk.

Check six. Test tools and exploits before operational use Be aware of exposed information Know the network environment between you and the target. Minimize it. Recommendations

Recommendations Take care when extending networks Keep client data, at rest & in transit, encrypted Secure archiving, deletion between engagements Secure communication with client

Recommendations Stay Alert! Training, Education, Instruction Paint a more realistic picture (or any picture at all) of the network environment between the attacker and the target Post-exploitation focus on establishing secure command and control, exfiltration

Contributions? Hopes and Dreams? Reduced client exposure Improved tools and training Maturity and advancement of penetration testing as a profession (I m not holding my breath but maybe you could give it a shot)

Questions? I ll be around. (or, contact Wesley) wesley@mcgrewsecurity.com @mcgrewsecurity

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information