Pentesting for fun... and profit! David M. N. Bryan and Rob Havelt

Similar documents
ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Penetration Testing - a way for improving our cyber security

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Internal Penetration Test

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Penetration Testing in Romania

Learn Ethical Hacking, Become a Pentester

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Pentests: Exposing real world attacks

Penetration Testing Walkthrough

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

How We're Getting Creamed

Attack and Penetration Testing 101

!!!!!!!!!!!!!!!!!!!!!!

Evolution of Penetration Testing

The Top Web Application Attacks: Are you vulnerable?

Penetration Testing Report Client: Business Solutions June 15 th 2015

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

WHITEPAPER. Nessus Exploit Integration

Five Steps to Improve Internal Network Security. Chattanooga ISSA

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Anatomy of an ethical penetration test

IT HEALTHCHECK TOP TIPS WHITEPAPER

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Using Nessus In Web Application Vulnerability Assessments

Application Security Testing. Generic Test Strategy

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

CRYPTUS DIPLOMA IN IT SECURITY

Hackers are here. Where are you?

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Demystifying Penetration Testing

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Exploiting Transparent User Identification Systems

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Application Security Testing

Hosts HARDENING WINDOWS NETWORKS TRAINING

Penetration: from Application down to OS

Metasploit The Elixir of Network Security

Vulnerability Assessment and Penetration Testing

Passing PCI Compliance How to Address the Application Security Mandates

A Decision Maker s Guide to Securing an IT Infrastructure

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

PENETRATION TESTING GUIDE. 1

SecurityMetrics Vision whitepaper

Defcon 20 Owning One To Rule Them All. Dave DeSimone Manager, Information Security Fortune 1000

Web Application Penetration Testing

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

Goal Oriented Pentesting Getting the most value out of Penetration Testing

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Penetration testing & Ethical Hacking. Security Week 2014

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Justin Kallhoff CISSP, C EH, GPCI, GCIH, GSEC, GISP, GCWN, GCFA. Tristan Lawson CISSP, C EH, E CSA, GISP, GSEC, MCSA, A+, Net+, Server+, Security+

Secret Server Qualys Integration Guide

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

CYBERTRON NETWORK SOLUTIONS

Nessus scanning on Windows Domain

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

This document describes the methodology used for validating the model, analysis, comments and test results from the model s application.

Department of Homeland Security

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Top 20 Critical Security Controls

Penetration Testing Lessons Learned. Security Research

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Network Security Audit. Vulnerability Assessment (VA)

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Vinny Hoxha Vinny Hoxha 12/08/2009

Protecting Your Organisation from Targeted Cyber Intrusion

Penetration Testing. ISACA - Atlanta

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Creation of Pentesting Labs

Web application security

Top Security Challenges Facing Credit Unions Today. Chris Gates Lares Consulting

Rational AppScan & Ounce Products

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Hackers are here. Where are you?

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Enterprise Cybersecurity: Building an Effective Defense

Hack Your SQL Server Database Before the Hackers Do

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Client logo placeholder XXX REPORT. Page 1 of 37

Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests

Transcription:

Pentesting for fun... and profit! David M. N. Bryan and Rob Havelt

Agenda Who are David & Rob? Why are we experts? Why do penetration tests? What is a penetration test? What is the goal? Some says it s a fad... What should be included? Critical data? Who is the audience? Methodology of pentest... Scripts, Tool, and Exploits oh my! Stories & Examples

David M. N. Bryan Computer Security Professional, Aka Hacker SpiderLabs DEFCON network goon OWASP Local and National DC612 Group President of TC Makers Hackerspace HAM radio license CISSP 10+ years security experience Play with electronics Video, Bikes, Brews beer

Rob Havelt Tinkering and hacking stuff since he was 7 Hates people but loves gatherings, isn t it ironic? Knows an awful lot about Zombie movies Built the Pen Test Team at SpiderLabs in 2005 Built 2 other successful Pen Test Teams before that Has been: A Webmaster, Sysadmin, Firewall Dude, Systems Guy, 3D Artist, Absurdist Performer, Pen Tester, TSCM Guy, and lots of other stuff.

Why are we experts. We have a lots of experience, no really... Over 1,900 pen tests in 2009 Finance/PCI Retail Manufacturing Hospitality Government Education Healthcare Other

Why do penetration tests? Assessments cost $$, for what value? Assessments often have a large scope Only identify flaws of in scope items Take a long time Requires internal resources & babysitting... So How do I get the most value out of a security engagement? Assessment - review policies, procedures, standards, run tools, etc... (~125-150K+) Get potential threats, huge report, lots of data to sift though Pentest, minimal coordination & babysitting (~10-50K) Get actualized threats, with real world issues Receive recommendations applicable to the environment

What is a penetration test? What isn t a pentest... Any scan, or any automated process that results in an automated report being created Many do this, but are just running Nessus, Qualys, ncircle, Rapid7, etc. Just using: Metasploit, Canvas, Core Impact, etc. What it should be... Finding and gaining unauthorized access to systems or computers that contain sensitive or confidential information Identifying systems or computers that have been left behind- not a comprehensive scan Justify budget for tools, services, personal

Goals Identify critical systems/applications Gather intel Identify critical assets Identify locations of data Subvert access controls of systems Gain access to sensitive or critical data Recommend controls Patching Hardening Logging/Auditing NAC Other weak or poor controls

Marcus says it s a fad...

just like crash testing Text

Intangible A lot of people have a hard time with the intangibility of security. We can look to tangible processes to illustrate what is appropriate, when. It can also cause big problems For Instance, if you hire an engineer to design something tangible and that thing immediately falls apart, you know you have an awful engineer. With a Security Professional, you might not know they are awful until you are successfully attacked, or you are exposed to someone better.

Principals of Testing In order for Testing to be a meaningful Quality Assurance Function: It should simulate attack conditions as accurately as possible It shouldn t just be focused on Gaining access to the environment or escalation of privileges that s only 2/5ths of an attack. I.e. I DON T CARE where you got shells. More focus should be given on ways to identify, acquire, and even exfiltrate data in the environment. If your tester isn t doing this, you are paying for a half finished job. Oh and Also: ENOUGH with the TOOLS already!! I trust a Pen Tester that immediately brings the conversation to their tool set about as much as I trust a doctor that sits me down and discusses what brand of scalpels they will be using.

Testing Types and Uses Application, Web Application Infrastructure Physical Social Most of what we will be talking about refers to infrastructure, physical, and social.

Scope? What should be in scope? Think networks, not systems Even Better think business processes Think data compromises, not number of systems Think remote access Define network ranges, and data targets, not specific systems A good pentester is quick... and doesn t necessarily need preparation

Critical Data This is rather the point isn t it? Any testing you do should be focused on this. We secure systems because we don t want an attacker to get critical data. Any test should be aimed at putting this into context.

Who s your Audience Who is going to read and make decisions based on this data? Decisions makers & influencers Middle management C-Level upper management Make sure the data being presented to these different levels is consumable Executive reports must make sense, and provide value.

Methodology Available Standards Open Source Security Testing Methodology Manual NIST SP800-115 CREST IACRB GPEN OSCP Etc, etc, etc... These Certs may only certify that your pentester can run tools...

Scripts, Tool, and Exploits oh my! Remember When Photoshop became popular in the 90 s? It was an extremely powerful tool to digitally produce certain effects that photography professionals had to do manually via double exposure camera tricks, and lighting effects. Simply owning a copy of Photoshop did not make you a photography professional. There was and still are a lot of people that think it does.

Scripts, Tool, and Exploits oh my! Cont. In the hands of a professional who understands the science and technique, Photoshop can be a very powerful tool.

Scripts, Tool, and Exploits oh my! Cont. In the hands of an amateur running random filters not so much. Plus, Photoshop is not the only thing you need to be a professional photographer and/or digital artist.

Certs... Adobe has a cert too called Adobe Certified Expert

Scripts, Tool, and Exploits oh my! Cont. Why am I taking up your time at an Infosec conference talking about Photoshop? Because there is a direct correlation here about what Photoshop did for professional photography and what automated pen test tools do for offensive security. Tools like Core, the new Metasploit Pro, and others can be useful/powerful in the hands of a professional. A professional doesn t really *need* these tools. They can often do amazing work without them.

Scripts, Tool, and Exploits oh my! Cont. So what tools does a Pen Tester use? Anything they need to get the job done! General Networking and sysadmin tools Custom stuff to do specific tasks Network proxies and servers Attack and exploit frameworks Monitoring and log tools There might be thousands of potential tools depending on the situation.

Let s Compare Methods and Results Let s Test an Ecom Network as an insider using host testing Client picks 10 IP s that are part of the Ecom system, tester only looks at those IP s and nothing else. What is there to test? Software vulnerabilities, and grievous configuration errors on those hosts. What are the results? There are a few minor findings and vulnerabilities noted, however, no compromise. CONGRATULATIONS! Your Ecom system is safe.

Let s Compare Methods and Results Let s Test an Ecom Network as an insider using holistic testing Client provides direction as to where the Ecom systems are, but the tester can get info from anywhere. What is there to test? All security controls around this system, interconnections and trust relationships that might be exploited, infrastructure configuration errors, architecture mistakes, as well as software vulnerabilities and configuration errors on the hosts. What are the results? Tester finds a forgotten system with blank local admin, dumps cached domain logins, gets him domain admin, which leads to a whole series of events which gives access to the ecom database. OH NO! Your Ecom system is faulty! Plus you know tons more about your general security control shortcomings.

Stories and Techniques

AD Domain enumeration Ad Tools enum4linux.pl - Null session? UID guessing to enumerate smbclient smbtree winexe tcpdump?

Password guessing... VNC, try default passwords, might get lucky... HTTP - again default passwords Medusa Password = username Password = password password = realldumbpassword Follow password account lockouts from enum4linux.pl

Man-In-The-Middle Wired Spoofing Inject ettercap-ng cain dsniff Get client to fallback to LanMan - Bingo Process ntlm challenges for others Bring hashes to rainbow tables Simply Pass The Hash... Wireless FakeAP Karma Karmetasploit

Web Why do my pentesters have to know about the Web? Directory enumeration SQL Injections Cross-Site Scripting Program execution PUT Methods Weak web systems Etc...

Payment Environment PCI DMZ - All was thought to be safe... Found a test VM system that was using unencrypted LDAP to login - Grabbed creds Use those creds to login to the local workstation Dumped system hashes and cashed creds using gsecdump (repacked) Grabbed local workstation admin account hash, reused it on about 50% of the machines on the domain. Found an AD account that could login via psexec to other domain systems (yeah!) Identified domain admins, found their workstation, dumped their workstation hashes (cracked off-line via rainbow tables)

Payment environment cont.. Once I got domain admin Hashes, used psexec to loging to DC Added a user to the domain and that user to the domain admins group (domain pwned). But that s not what the goal was... not we have to keep going... Next dumped 1,500+ user hashes from the DC, cracked them all. Found the 2 systems that were the jump servers into the PCI environment. 1 windows 1 Solaris 4 of the 1500 credentials were the same on the Windows system 104 of the 1500 worked on solaris Moral of the story, don t allow the same passwords to be used between these systems.

Wrap-up Pentesting... Can add a lot of value, if done right. The previous version of pentesting (running scanners) is dead. Long live the art of manual testing, with skilled and seasoned professionals!

Questions?

Thank you! Rob Havelt Director Penetration Testing, SpiderLabs rhavelt@trustwave.com David M. N. Bryan Senior Security Consultant Penetration Testing, SpiderLabs dbryan@trustwave.com

References http://en.wikipedia.org/wiki/web_2 http://blog.tenablesecurity.com/2008/12/marcus-ranum-pauldotcom-interviewon-penetration-testing-.html

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information