SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith
AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in the testing strategies & results The effects on the target organizations Real world threats How attackers operate Accurate demonstrations of impact to target organizations What REALLY needs to be done Understanding the purpose Improving the methodologies Do real work, don t fake it!
ABOUT US Just two guys with some ideas We like to hug it out Did we even bring a business card? We can talk shop and experience over beers after Mmmmm.Beer
TODAY S UGLY METHODOLOGY Collect Intel Scan Exploit Report
THE REAL WAY TO DO IT Intelligence Gathering Foot printing Vulnerability Analysis Exploitation Post- Exploitation Clean Up
REALITY CHECK Good hackers don t use expensive vulnerability scanners Good hackers don t use automated penetration testing Attackers don t have a scope or timeframes Attackers don t stop after first successful exploit A good hacker doesn t define penetration testing
REPERCUSSIONS OF TODAY Primarily focused on smash and grab tactics Heaviest phase of testing is vulnerability scan(s) Attack vectors are determined by the success of the scans Procedures are dictated by the tools not the testers Focus and prioritization generally stops after one compromise Limited (if any) demonstration of impact
REALITY OF NON- SIMULATED ATTACKS Incident response is poorly handled Resistance to attacks is not measurable No insight into true threats No understanding of financial damage Impact to the business is unknown (See Next Presentation)
WHY TRADITIONAL TESTING IS DEAD Doesn t focus on business risk, but on exposure of vulnerability Clients prescribe their own medicine Replicates testing where an attacker has his hands tied Most testers don t know how to attack Same tests are done year over year Tools have made people lazy and less creative Roots have been forgotten
INFORMATION OVERLOAD Names Aliases Emails? IM? Screen names? Social Networks Used Media Communications Online Profile Communications Leaked Executive/Key Personnel and employee Profiles Blogs Personal ID s Social Landscape Raw Leakage Applications Used IP LEAKAGE Code Leakage Configuration Key Corporate Terms Physical Location Info Technologies used 3 rd party apps Web Apps used Reference Resources Cloud usage Outsourced Data Carriers
PENETRATION TESTING - EVOLUTION True breach simulations tailored for the organization Intelligence gathering and reconnaissance improvements Focused attacks Improved demonstrations of impact Step away from the tools Think more like an attacker and less like an auditor The target is your information, not the perimeter
IN A PERFECT SCOPE AND METHODOLOGY Vulnerability scans Exploit frameworks Application vulnerability assessments That s it? Umm no: Intelligence gathering Personnel profiling Phishing Client side/browser side attacking Post exploitation Social Engineering Fuzzing and 0-day development
INTELLIGENCE GATHERING Often excluded from penetration testing It s the easiest way to learn about your target w/o being detected Hackers do it, so should you Profiling will expedite your chances for success Basis to formulate your own attack matrix
INTELLIGENCE GATHERING - FOCA
FOCA USER HARVESTING
FOCA SOFTWARE ENUMERATION
INTELLIGENCE GATHERING - MALTEGO
INTELLIGENCE GATHERING - MALTEGO
INTELLIGENCE GATHERING - MALTEGO
INTELLIGENCE GATHERING - SHODAN
THE INFORMATION IS ABUNDANT
PERSONAL FAVORITE
INTEL PERSONNEL PROFILING
INTEL PERSONNEL PROFILING
ASSET PROFILING It not just port scans, OS and application fingerprinting Define the role of the system (approved and unknowns) Identifies additional vectors for attack Assigns a value of the asset to the business Only manual inspection will provide useful results Aids in developing an accurate attack matrix
POST EXPLOITATION It doesn t stop at shell or alert ( xss ) Additional vectors of attack Pivot attacks Password reuse Access to sensitive information Keylogging Proxies The list is endless
OK ENOUGH OF YOUR SMOKE AND MIRRORS! DOES THIS STUFF REALLY WORK?
SCENARIO 1 You are performing external penetration test for target company Only ports identified are 80, 443 and 25. No web application flaws were identified No public (or commercial) exploits were found Social Engineering is out of scope L
ZERO DAY ANGLE The only route found is a potential 0 day Enumerating a target you identify a service: MailCarrier 2.51 SMTP Server Research reveals no vulnerability disclosures or exploits Suit up and start fuzzing!
FUZZING Brute force method for closed-source applications Traditional method for identifying vulnerabilities Many programs are available (Peach, Sully, Spike, etc) SMTP is a very easy protocol to recreate Be sure to build the protocol properly or risk inaccurate results
THE BASICS Multiple types of overflows Stack, heap, buffer, integer, etc. Main objective is to hijack execution flow and gain unauthorized access to underlying system Not every overflow is exploitable Most will result in simple DoS Most updates address improper bounds checks, input validation and sanitization
OVERFLOW QUICK GLANCE Main attack vector is through a buffer that doesn t properly check the length a user can input. Example: #include char *code = "AAAABBBBCCCCDDD"; //including the character '\0' size = 16 bytes void main() { char buf[8]; strcpy(buf, code);
THE STACK
AFTER AN EXPLOIT
DEMONSTRATION Fuzz the application in order to obtain a crash. This exploit is a stack based overflow, so we will need to find where our instruction pointer is. Jump to our starter pointer and execute our shell code.
EASY STUFF This is as easy as it gets when coming to exploits. A stack overflow with EIP overwrites is like a hallelujah. Another easy technique is called a Structured Exception Handler (SEH) Stack overflows are easy, harder when exploiting Windows protection mechanisms.
DATA EXECUTION PREVENTION Data Execution Prevention (DEP) would have made this stack Read Only and would not execute the shell code. In order to bypass this we could utilize a technique called return-to-libc and Return Oriented Programming (ROP) can defeat DEP. Can also defeat Address Space Layout Randomization (ASLR)
BROWSER BUGS Heap Sprays - Can defeat ASLR, traditionally used in browser-based exploits, fills the heap (dynamic memory) with shell code and nops.
STACK CANARIES Place random cookie inside stack, if cookie corrupt will not execute. Less frequent and can be defeated by earlier mentioned techniques.
SCENARIO 2 You are performing external penetration test for target company Only ports identified are 80, 443 No web application flaws were identified No public (or commercial) exploits were found Social Engineering is IN scope J
THE BREAKDOWN SSL VPN device is discovered Two factor authentication is implemented Brute force is not an option Intelligence gathering utilized to craft a strategic phishing attack Website is cloned and prepared on attack system Email is delivered to X number of internal resources
GOING A DIFFERENT ROUTE You just saw the ability to defeat two factor authentication Let s attack the client directly in this next scenario and go for internal access
WHAT DID WE LEARN The attacks discussed today aren t included in the majority of routine penetration tests Lack of general skillsets impact success levels Lack of time produce inaccurate results and false sense of security Lack of business buy off to perform full scope testing continues the vicious cycle Organizations must demand more focused attacks and more nitch security assessments.
GRADUAL PROGRESSION The commodity tests are surfacing Clients are beginning to understand they need more than the past Survival in this industry means providing value to the target organization
RETURN ON INVESTMENT A penetration test has no ROI if the report is filled with irrelevant findings Demonstrating impact will justify the cause and drive demand Relating testing strategies to the business and understanding what makes them tick will provide value
QUESTIONS?