Penetration Testing Lessons Learned. Security Research



Similar documents
Penetration Testing with Kali Linux

The Top Web Application Attacks: Are you vulnerable?

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Learn Ethical Hacking, Become a Pentester

Vulnerability Assessment and Penetration Testing

Rational AppScan & Ounce Products

Adobe Systems Incorporated

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Detailed Description about course module wise:

Internal Penetration Test

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Using Web Security Scanners to Detect Vulnerabilities in Web Services

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Data Breaches and Web Servers: The Giant Sucking Sound

Application Security Testing

CRYPTUS DIPLOMA IN IT SECURITY

Penetration Testing Walkthrough

How To Write A Web Application Vulnerability Scanner And Security Auditor

OWASP OWASP. The OWASP Foundation Selected vulnerabilities in web management consoles of network devices

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Audience. Pre-Requisites

Penetration Testing Corporate Collaboration Portals. Giorgio Fedon, Co-Founder at Minded Security

A Network Administrator s Guide to Web App Security

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Web App Security Audit Services

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Manipulating Microsoft SQL Server Using SQL Injection

Penetration Testing Report Client: Business Solutions June 15 th 2015

Web Security School Final Exam

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Security

Cyber Essentials. Test Specification

Web Applications The Hacker s New Target

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION


MANAGED SECURITY TESTING

Security Products Development. Leon Juranic

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Thick Client Application Security

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Understanding Security Testing

Detecting SQL Injection Vulnerabilities in Web Services

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Lecture 15 - Web Security

Penetration Testing. What Is a Penetration Testing?

EC-Council Certified Security Analyst (ECSA)

Attack and Penetration Testing 101

Keyword: Cloud computing, service model, deployment model, network layer security.

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

Web Application Report

How To Classify A Dnet Attack

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLĂ„RNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Intrusion detection for web applications

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

How Strong Is Your Fu?

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

Proxies. Chapter 4. Network & Security Gildas Avoine

Pentests: Exposing real world attacks

SAST, DAST and Vulnerability Assessments, = 4

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Intunex Oy Skillhive Service Description 1 / 6

STABLE & SECURE BANK lab writeup. Page 1 of 21

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

Web Vulnerability Scanner by Using HTTP Method

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Migrating helpdesk to a new server

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Streamlining Web and Security

(WAPT) Web Application Penetration Testing

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

Chapter 1 Web Application (In)security 1

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

Penetration Test Report

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web Application Security

Using Nessus In Web Application Vulnerability Assessments

Protecting Your Organisation from Targeted Cyber Intrusion

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Improving Web Vulnerability Scanning. Daniel Zulla

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Transcription:

1 Penetration Testing Lessons Learned Security Research

2 Who am I? CTO at Immunity, Inc. Privately held information security company Consulting Training Specialized Security Products CANVAS SILICA Based in Miami Beach

3 Remote Shells Can Happen To Anyone Vertical: Manufacturing Scope: 1-week Web Assessment of a single employee admission process application (semi-blind) Result: J2EE based application was installed on Windows was able to upload trojan.jsp (with trailing space) and then browse to it. Mitigation: Customer removed upload functionality entirely, and planned a move to Linux

4 3 rd Party Software = Fun Vertical: Financial Scope: 2 week internal assessment of large web application assessment and entire environment Was previously assessed by Immunity Has rather advanced custom IDS based on SQL Server Queries being sniffed and checked for anomalies

5 Serv-Who? Serv-U old vulnerable version of 6.1.0.1 No known advisory or exploit Immunity did fast binary assessment and attempted fuzzing, but no luck Bob's Charting Server Found several vulnerabilities, but did not get a shell from them

6 Architecture is hard DB Tiers tied together Null SA passwords found COM+ required massive firewall ruleset holes No exfiltration filters IE vulnerability went public during test

IDS Doesn't Work 7

8 Remote Anonymous Ownership Vertical: Manufacturing Scope: Remote, anonymous penetration test of class C, open-source information gathering mail servers web servers DNS servers webmail a customer portal a Citrix server connection

Remote access please! 9

File sharing is nice too... 10

Lots of machines to see now 11

Being Admin is more fun (thanks Citrix Print Provider Overflow!) 12

This only looks easy... Immunity ICA Citrix Server SMB Same admin password or MS06-040 Cracked Domain User Admin on all machines Previous cracking plus manual tries gets domain admin AD Browsing tells us domain admin 13

14 Open Source Information Places your employees go Spoke install a Browser Helper Object to export company information anyone? FuckedCompany Vault.com Google/Yahoo groups

15 Not even 0day works every time Vertical: Manufacturing Scope: Assess custom website Result: Binary analysis of /scripts/bobip.dll finds heap overflow

0day to Remote MOSDEF Shell! 16

17 Sometimes a firewall will slow you down MOSDEF shell dies after a few minutes. Why? Connection was getting a RST for no reason Tried many variations on the shellcode, which seemed to improve things But reaction of target was random so what was the problem? Post-game analysis indicates probable PIX firewall was closing our connection since we tunnelled over HTTP but did not look like HTTP

18 Quick hits under pressure Vertical: Financial Scope: several hour night assessment of 3 class C networks Result: Found SQL Injection, some cross site scripting. Exploited SQL Injection to dump database information, but was unable to get shell access. First ODBC error was found in three hours.

19 Architecture is a continuing problem! NonSensitive (asp) SQL Injection Immunity Sensitive (ASP.Net) Shared DB VerySensitive (Custom)

20 Follow up is essential Scope: Same application, but on-site and informed Customer ran $25K automated web penetration testing tool as well 100% false positives and 100% false negatives

21 Results Cryptographic problem in cookie Can replace usernames and become other people Remote File Include Useful for turning a black-box test into a white-box test Overflows Oversight commission not amused

22 The latest technology is not the most secure Vertical: Manufacturing Scope: 1 week penetration test of web application Architecture: Modern Web 2.0 application built on IIS 6.0, Flash, and Adobe FLEX

23 Auth problems Immunity Web Application Web Service Nothing tied the authentication together! Web authentication also easily bypassed

24 Conclusions 0day vulnerabilities on third party components are a large part of penetration testing There's more to web application testing than Cross Site Scripting and SQL Injection Automated scanners are not finding the problems A poorly designed architecture can make life a lot more fun for a hacker

25 Thank you for your time Contact me at: dave@immunityinc.com Security Research Team

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information