team cymru cymru team

Team Cymru Cymru Team Penetration Testing Ryan Connolly, - PowerPoint PPT Presentation

Team Cymru Cymru Team Penetration Testing Ryan Connolly, <> Penetration Testing Agenda Pentesting Basics Pentesting Defined Vulnerability Scanning vs. Penetration testing Pentesting

  1. Team Cymru Cymru Team Penetration Testing Ryan Connolly, <>

  2. Penetration Testing Agenda • Pentesting Basics – Pentesting Defined – Vulnerability Scanning vs. Penetration testing • Pentesting Strategy • Anecdotes from real pentests • Conducting a good vulnerability scan – Footprint, Scan, Enumerate, Gain Access, Escalate, Pilfer, Cover Track, Create Backdoor – Demos • Review

  3. Why Penetration Testing? • Financial institutions must secure their networks in order to maintain the security of the entire financial system • But with no ability to assess risk organizations are flying blind • IT Security assessments are done today with a mixture of Vulnerability Scanning and Penetration Testing

  4. What is Penetration Testing?

  5. Dave’s new job as a Pen Tester wasn’t anything at all like he’d expected

  6. Penetration Testing Attempt to compromise security by using the same techniques of the attacker – If I was an attacker, how far would I be able to go? – How easy is it to compromise this computer | network | application | system ?

  7. Vulnerability Scanning or Penetration Testing?

  8. Vulnerability Scanning Look for evidence of – Vulnerable software versions – Presence or lack of patches – Misconfiguration

  9. The “bad guys” don’t run Nessus

  10. Vulnerability Scanning alone is not sufficient • Does not tell you what an attacker can do to your network today • Does not identify dangerous trust relationships between components • Lots of false-positives are produced – Must be manually verified • Only actionable items are list of missing patches

  11. Organizations should take advantage of both VS and PT • VS provides a baseline from which to start building a risk profile • A Penetration Test illustrates what those vulnerabilities mean to the organization today, and can help verify remediation efforts • The financial system cannot afford for institutions not to perform periodic Penetration Tests

  12. Key elements of a Penetration Test • Discover and exploit vulnerabilities throughout the network • Leverage trust-relationships among components • Access critical information

  13. Example “After exploiting a vulnerability in the Exchange server, we were able to collect a list of valid email users and passwords. We then used this server to attack the database server in the DMZ (which wasn’t visible from the outside). One of the exploits was successful and we gained administrator access to the server, including complete access to all tables in the customers database.”

  14. A good pen-test • Covers all relevant attack vectors • Clearly shows how vulnerable assets can be compromised • Tests the system as a whole, including existing defense mechanisms • Documents all activities performed

  15. Common mistakes organizations make when doing PT • Limit the test to running a vulnerability scanner • Testing components in isolation • Company changes environment while test is being performed • Overlooking critical relationships, such as suppliers, partners and outsourcing/offshoring vendors

  16. Signs that a test wasn’t thorough • Limited to small subset of network • Produced a laundry list of vulnerabilities, with no additional verification • No interpretation of findings, or “hand waving” • No recommendations beyond list of missing vendor patches • Lack of detailed activity logs, and/or problems with clean-up

  17. Pentesting Strategy How much testing is good enough?

  18. Managing Risk Risk Money

  19. It is always possible to hack a network • It just depends on how hard you try • But smart companies – Invest in technology and processes that help them reduce the most risk, with the least amount of resources – Assume they will be hacked eventually and prepare accordingly

  20. How often can we test cost- effectively? • Penetration Testing was traditionally done once or twice a year due to high cost of service • Automated Penetration Testing software is enabling organizations today to test more often – 75% of IMPACT customers doing testing on a monthly and weekly basis, in contrast with 50% doing it once or twice a year in late 2004

  21. Security as an emergent property The security of a system is determined by the security of each of its components individually and of the system as a whole

  22. Organizations are getting better at • Deploying OS updates on high-profile public servers • Hardening network services on public servers • Securing the perimeter with properly configured firewalls and routers

  23. Penetrating a network through its perimeter is much more difficult today than it was 5 years ago

  24. Organizations still have trouble with • Client side security • Custom web applications • Internal security • Dealing with continuous change and an ever- expanding network of partners, customers and suppliers

  25. Attackers are not standing still • Industry data points to significant increase in the prevalence and criticality of client-side vulnerabilities – A “shift” towards finding vulnerabilities in client-side software is occurring (SANS and Symantec security threat reports) – 8 out of 20 categories in latest SANS Top 20 report relate directly to client-side vulnerabilities – High profile incidents taking advantage of vulnerabilities in client- side software • Windows Metafile image exploit in ad deploys trojan on compromised computers (July 06) • Organizations with good perimeter security are still wide open to attacks against client-side vulnerabilities

  26. Client Side Vulnerabilities • Vulnerabilities in client-side software – IE, Firefox, Outlook, Thunderbird, MSN Messenger, AOL IM, ICQ, Media Players, and image and document readers/processors • Examples – IE devenum.dll COM Object vulnerability (MS05-038) – MSN messenger PNG Processing vulnerability (MS05-009) – Windows WMF vulnerability (KB912840) • Remote/Local, High/Medium/Low? – No good fit in current vulnerability taxonomies

  27. The user’s workstation • is less protected & more complex than the publicly available servers • has legitimate access to the network’s critical assets • connects the Internet with the internal network

  28. Internal network still wide open • Security much more relaxed than on public facing servers – Internal computers are not patched correctly even though automated patch mgmt is in place • Less (sometimes non-existent) network segmentation • Plenty of trust relationships that can be leveraged

  29. Random anecdotes from real pen tests

  30. Pen Test #1 • Collected valid email addresses using a badly configured SMTP server and a list of common names in various languages • Spammed targets with email probe – Web bug in <img> to fingerprint targets – UNC web bug to force authentication with a fake SMB server • Exploited Java vulnerability

  31. Pen Test #2 • Collected e-mail addresses by searching MIT’s PGP keys server and internet newsgroups – Some mail archives had complete email headers • Created profile of each user – Workstation details: OS, browser, MUA – Personal details: hobbies, favorites, contacts, level of computer proficiency • Segmented attack and customized emails based on profile

  32. Pen Test #2b • 1 single email produced about 40 different successful compromises in a matter of minutes • Done by hitting an e-mail alias for a mailing list

  33. Pen Test #3 • Target network divided in two different company branches • Launched exploits against both sub-nets. Exploits for the 1 st failed, but for the 2 nd succeeded • Company had network intrusion prevention active on one side of the network but not on the other

  34. Pen Test #4 • Compromised ad-hoc test server with old exploit • Replaced SSH daemon with trojan • Collected usernames and passwords that were valid on other more important servers on the network

  35. Simple attacks still work • Sent trojanized executable as menu for new Pizzeria • Engage in conversation via IM and send a trojan • Fedex “sample CD-ROMs” with active content

  36. A good pen-test • Covers all relevant attack vectors • Clearly shows how vulnerable assets can be compromised • Tests the system as a whole, including existing defense mechanisms • Documents all activities performed

  37. The Pentesting Process Think like the bad guys: use the same process. Consider: 1. Social engineering factor 2. Technical factor 3. Iterative learning

  38. Pentesting Vulnerability Scanning Now that we’ve talked about not just doing vulnerability scans, let’s talk about… Vulnerabilty scaninng!

  39. Network attack process Create Backdoor Cover Tracks Pilfer Escalate Gain Access Enumerate Scan Footprint

  40. Footprinting • Techniques: –Open source search –whois –DNS zone transfers • Tools: –USENet, search engines –, other registrars – nslookup, dig • Objective: –IP addresses –Domain names

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.


More recommend