Penetration Testing Engineering Secure Software Last Revised: July - - PowerPoint PPT Presentation

SWEN-331: Engineering Secure Software Benjamin S Meyers

Penetration Testing

Engineering Secure Software

Last Revised: July 28, 2020 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

Testing That Digs Deeper

• Penetration testing is about attempting to exploit as much as

possible (ethically)

• Purposes

○ Demonstrate the person-hours required to break in ○ Create a real scenario

• Compared to typical SE testing

○ Typical: “Found a stacktrace! Report bug” ○ PenTesing: “How can we use this stacktrace?” ○ Map out a long set of chains of attacks

2

SWEN-331: Engineering Secure Software Benjamin S Meyers

Preconditions

• Requires a working system

○ Not necessarily finished, but working ○ As networked as possible -- for pivoting ○ Highly skilled testers

• Outsider

○ Not pre-knowing company secrets ○ Most companies hire outside pentesters, but in-house pentesters are highly marketable ○ Can be a good “side-hustle” for you in existing dev organizations

3

SWEN-331: Engineering Secure Software Benjamin S Meyers

MITRE’s ATT&CK and CAPEC

• ATT&CK

○ Taxonomy of tactics and techniques for general purpose pentesting knowledge ○ Tactics: broad categories ○ Techniques:

■ Tool-agnostic approaches ■ Somewhat technology-dependent

• CAPEC:

○ “Common Attack Pattern Enumeration and Classification” ○ A dictionary of attack patterns ○ Organized by mechanisms and domains ○ Not covered in this lecture, but referenced in a few VOTD

4

SWEN-331: Engineering Secure Software Benjamin S Meyers

CAPEC Example

• 649: Adding a Space to a File Extension

○ “An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.” ○ Why is this a problem? ○ How do you prevent this?

5

SWEN-331: Engineering Secure Software Benjamin S Meyers

ATT&CK Tactics

• Pre-ATT&CK: The adversary is building capabilities and doing initial

research.

• Initial Access: The adversary is trying to get into your network.
• Discovery: The adversary is trying to figure out your environment.
• Privilege Escalation: The adversary is trying to gain higher-level

permissions.

• Defense Evasion: The adversary is trying to avoid being detected.
• Credential Access: The adversary is trying to steal account names and

passwords.

• Collection: The adversary is trying to gather data of interest to their goal.

6

SWEN-331: Engineering Secure Software Benjamin S Meyers

ATT&CK Tactics

• Execution: The adversary is trying to run malicious code.
• Persistence: The adversary is trying to maintain their foothold.
• Lateral Movement: The adversary is trying to move through your

environment.

• Command and Control: The adversary is trying to communicate with

compromised systems to control them.

• Exfiltration: The adversary is trying to steal data.
• Impact: The adversary is trying to manipulate, interrupt, or destroy your

systems and data.

7

SWEN-331: Engineering Secure Software Benjamin S Meyers

ATT&CK Techniques

• There are a lot of techniques. For this class, including exams, we’ll focus on just a few key ones.

8

SWEN-331: Engineering Secure Software Benjamin S Meyers

Key Techniques: Initial Access

• Drive-by Compromise

○ Users visit malicious sites ○ e.g. executing Javascript with a browser exploit in it that takes control of a machine

• Hardware Additions

○ Introducing new hardware to the system ○ e.g. hardware keystroke loggers, keystroke injection, network sniffers, portable cell-phone towers

• Spearphishing

○ Confidence scamming exploiting the specific company ○ We see these at RIT all the time

9

SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10

Examples: Spearphishing at RIT

Example 1: From: RIT LEADER NAME <RIT_email@non_rit_address> Subject: W2 for employees NAME, Can I have a PDF copy of all employees W2 for the recent tax year? Thanks, RIT LEADER NAME Example 2: From: RIT LEADER NAME <RIT_email@non_rit_address> Subject: R.I.T University Alert! Hello We received your request to disable your Email and process has started. If you did not make this request, please Undo Request Now. Your email access will be denied. Thanks Example 3: From: RIT LEADER NAME <RIT_email@non_rit_address> Subject: Memo from HR Department Greetings, You have a message from the Human Resources Department. Click here to view your message. Example 4: From: RIT LEADER NAME <RIT_email@non_rit_address> Subject: Request Hello NAME, Are you available, We are giving out eBay gift cards to patients at Hospice Care Units across the community, the cards I bought aren't enough. Can you order 8 eBay gift cards of $200 each online or pick them from any drug or grocery store?

SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11

SWEN-331: Engineering Secure Software Benjamin S Meyers

Key Techniques: Discovery

• Network and Service Scanning (we’ll explore this later)

○ Run tools to enumerate hosts and ports ○ Figure out what services are running ○ e.g. nmap, unicornscan

• Account Discovery

○ Find a listing of the existing accounts ○ e.g. /etc/passwd

12 12

SWEN-331: Engineering Secure Software Benjamin S Meyers

Key Techniques: Credential Access

• Brute Force

○ e.g. password guessing

• Credential Dumping

○ e.g. dump a database table with credentials ○ e.g. copy the /etc/shadow file

• Valid Accounts

○ e.g. using default accounts (Windows guest, default DB) ○ e.g. using discovered credentials from other access

13 13

SWEN-331: Engineering Secure Software Benjamin S Meyers

Key Techniques: Execution & Persistence

• Execution

○ Command-line interface (e.g. ssh terminal, powershell) ○ Service execution (e.g. adding a new “service” to be executed)

• Persistence

○ Bootkit

■ Place malware in the Master Boot Record of the HDD ■ Executed even after reformatting OS partition

○ Scheduled task (e.g. crontab or Windows Task Scheduler

■ Also an Execution technique

○ Create account ○ Component firmware

14 14

SWEN-331: Engineering Secure Software Benjamin S Meyers

Key Techniques: Privilege Escalation

• Process Injection

○ Executing arbitrary code in an existing, legitimate process space ○ e.g. changing the path of a DLL at runtime, stack smashing, LD_LIBRARY_PATH

• setuid and setgid

○ “Execute as the owner’s rights, not as the executing user’s rights”

15 15

SWEN-331: Engineering Secure Software Benjamin S Meyers

Key Techniques: Defense Evasion

• Techniques that adversaries use to avoid detection

throughout their compromise

○ Access Token Manipulation ○ Binary Padding ○ Clear Command History ○ Connection Proxy ○ ...

16 16

SWEN-331: Engineering Secure Software Benjamin S Meyers

Key Techniques: Lateral Movement

• Pass the Hash

○ Authenticating without having the plaintext password ○ e.g. use a password hash from an insecure database to bypass authentication software

• Remote File Copy

○ e.g. copying exploits into directories that get executed

• Exploitation of Remote Services

○ e.g. opening a persistent bash shell from within postgres

17 17

SWEN-331: Engineering Secure Software Benjamin S Meyers

Misc: CPTC, Kali, and OSCP

• Collegiate Penetration Testing Competition (CPTC)

○ RIT facilitates/competes in an annual national competition (Oct-Nov) -- Like a varsity sport ○ Contact: Justin Pelletier <jxpics@rit.edu>

• Kali Linux

○ A distribution designed for penetration testing ○ TONS of tools, steep learning curve on many of them

• Offensive Security Certified Professional (OSCP)

○ One of the best certifications for penetration testing ○ About the same effort as a college course ○ 24-hour final exam where you have to break into every machine

18 18