Penetration Testing Engineering Secure Software Last Revised: July - PowerPoint PPT Presentation

Penetration Testing Engineering Secure Software Last Revised: July 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1

Testing That Digs Deeper Penetration testing is about attempting to exploit as much as ● possible (ethically) Purposes ● Demonstrate the person-hours required to break in ○ Create a real scenario ○ Compared to typical SE testing ● Typical: “Found a stacktrace! Report bug” ○ PenTesing: “How can we use this stacktrace?” ○ Map out a long set of chains of attacks ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 2

Preconditions Requires a working system ● Not necessarily finished, but working ○ As networked as possible -- for pivoting ○ Highly skilled testers ○ Outsider ● Not pre-knowing company secrets ○ Most companies hire outside pentesters, but in-house ○ pentesters are highly marketable Can be a good “side-hustle” for you in existing dev organizations ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 3

MITRE’s ATT&CK and CAPEC ATT&CK ● Taxonomy of tactics and techniques for general purpose ○ pentesting knowledge Tactics: broad categories ○ Techniques: ○ ■ Tool-agnostic approaches Somewhat technology-dependent ■ CAPEC: ● “Common Attack Pattern Enumeration and Classification” ○ A dictionary of attack patterns ○ Organized by mechanisms and domains ○ Not covered in this lecture, but referenced in a few VOTD ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 4

CAPEC Example 649: Adding a Space to a File Extension ● “An adversary adds a space character to the end of a file ○ extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution .” Why is this a problem? ○ How do you prevent this? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 5

ATT&CK Tactics Pre-ATT&CK: The adversary is building capabilities and doing initial ● research. Initial Access: The adversary is trying to get into your network. ● Discovery: The adversary is trying to figure out your environment. ● Privilege Escalation: The adversary is trying to gain higher-level ● permissions. Defense Evasion: The adversary is trying to avoid being detected. ● Credential Access: The adversary is trying to steal account names and ● passwords. Collection: The adversary is trying to gather data of interest to their goal. ● SWEN-331: Engineering Secure Software Benjamin S Meyers 6

ATT&CK Tactics ● Execution: The adversary is trying to run malicious code. ● Persistence: The adversary is trying to maintain their foothold. ● Lateral Movement: The adversary is trying to move through your environment. ● Command and Control: The adversary is trying to communicate with compromised systems to control them. Exfiltration: The adversary is trying to steal data. ● Impact: The adversary is trying to manipulate, interrupt, or destroy your ● systems and data. SWEN-331: Engineering Secure Software Benjamin S Meyers 7

ATT&CK Techniques ● There are a lot of techniques. For this class, including exams, we’ll focus on just a few key ones. SWEN-331: Engineering Secure Software Benjamin S Meyers 8

Key Techniques: Initial Access Drive-by Compromise ● Users visit malicious sites ○ e.g. executing Javascript with a browser exploit in it that takes ○ control of a machine Hardware Additions ● Introducing new hardware to the system ○ e.g. hardware keystroke loggers, keystroke injection, network ○ sniffers, portable cell-phone towers Spearphishing ● Confidence scamming exploiting the specific company ○ We see these at RIT all the time ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 9

Examples: Spearphishing at RIT Example 1: Example 3: From: RIT LEADER NAME <RIT_email@non_rit_address> From: RIT LEADER NAME <RIT_email@non_rit_address> Subject: W2 for employees Subject: Memo from HR Department NAME, Greetings, Can I have a PDF copy of all employees W2 for the recent tax You have a message from the Human Resources Department. year? Click here to view your message. Thanks, RIT LEADER NAME Example 4: From: RIT LEADER NAME <RIT_email@non_rit_address> Example 2: Subject: Request From: RIT LEADER NAME <RIT_email@non_rit_address> Subject: R.I.T University Alert! Hello NAME, Are you available, We are giving out eBay gift cards to patients Hello at Hospice Care Units across the community, the cards I We received your request to disable your Email and process bought aren't enough. Can you order 8 eBay gift cards of $200 has started. If you did not make this request, please Undo each online or pick them from any drug or grocery store? Request Now. Your email access will be denied. Thanks SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10

SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11

Key Techniques: Discovery Network and Service Scanning (we’ll explore this later) ● Run tools to enumerate hosts and ports ○ Figure out what services are running ○ e.g. nmap, unicornscan ○ Account Discovery ● Find a listing of the existing accounts ○ e.g. /etc/passwd ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 12 12

Key Techniques: Credential Access Brute Force ● e.g. password guessing ○ Credential Dumping ● e.g. dump a database table with credentials ○ e.g. copy the /etc/shadow file ○ Valid Accounts ● e.g. using default accounts (Windows guest, default DB) ○ e.g. using discovered credentials from other access ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 13 13

Key Techniques: Execution & Persistence Execution ● Command-line interface (e.g. ssh terminal, powershell) ○ Service execution (e.g. adding a new “service” to be executed) ○ Persistence ● Bootkit ○ ■ Place malware in the Master Boot Record of the HDD Executed even after reformatting OS partition ■ Scheduled task (e.g. crontab or Windows Task Scheduler ○ Also an Execution technique ■ Create account ○ Component firmware ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 14 14

Key Techniques: Privilege Escalation Process Injection ● Executing arbitrary code in an existing, legitimate process space ○ e.g. changing the path of a DLL at runtime, stack smashing, ○ LD_LIBRARY_PATH setuid and setgid ● “Execute as the owner’s rights, not as the executing user’s rights” ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 15 15

Key Techniques: Defense Evasion Techniques that adversaries use to avoid detection ● throughout their compromise Access Token Manipulation ○ Binary Padding ○ Clear Command History ○ Connection Proxy ○ ... ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 16 16

Key Techniques: Lateral Movement Pass the Hash ● Authenticating without having the plaintext password ○ e.g. use a password hash from an insecure database to bypass ○ authentication software Remote File Copy ● e.g. copying exploits into directories that get executed ○ Exploitation of Remote Services ● e.g. opening a persistent bash shell from within postgres ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 17 17

Misc: CPTC, Kali, and OSCP Collegiate Penetration Testing Competition (CPTC) ● RIT facilitates/competes in an annual national competition ○ (Oct-Nov) -- Like a varsity sport Contact: Justin Pelletier <jxpics@rit.edu> ○ Kali Linux ● A distribution designed for penetration testing ○ TONS of tools, steep learning curve on many of them ○ Offensive Security Certified Professional (OSCP) ● One of the best certifications for penetration testing ○ About the same effort as a college course ○ 24-hour final exam where you have to break into every machine ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 18 18