âAttempt to breach the securityâ: A pentest is not a full security audit. ⢠âUsing the ... Q: Is Penetration Testing developed to teach today's hackers how to cause ...
PenTesting,
Simplified. Magdy Saeb
A Simple Guide to Successful
Penetration Testing
Target Network
Web Server Compromise
Successful java applet attack compromises the MegaCorp One management subnet
Firewalls are Porous
Outsider (Not detected)
Insider/Outsider
Outsider (Detected)
Definition “A localized and time-constrained attempt to breach the information security architecture using the attacker’s techniques”
• “Localized”: Implies definition of scope • “Time-constrained”: A pentest does not last forever • “Attempt to breach the security”: A pentest is not a full security
audit
• “Using the attacker’s techniques”: Implies definition of the
attacker’s role
FAQ Q: Is Penetration Testing developed to teach today’s hackers how to cause more damage in more effective ways? • A: No! Next Question Then Why Pentest? • A: Know your opponent! Q: Are hacker communities fixed? • A: No, they are changing.
Why Bother? • Active pen-testing teaches you things that security planning would not • What are the vulnerability scanners missing? • Are your users and system administrators actually following their own policies? • host that claims one thing in security plan but it totally different in reality, Audit Physical Security • Just what is in that building no one ever goes in? • The strongest network based protections are useless if there is a accessible unlocked terminal, unlocked tape vault, etc. • Raises security awareness • I better not leave my terminal unlocked because I know that those security guys are lurking around somewhere. • Helps identify weakness that may be leveraged by insider threat or accidental exposure. • Provides Senior Management a realistic view of their security posture. • Great tool to advocate for more funding to mitigate flaws discovered. • If I can break into it, so could someone else!
Table of Contents • Recent Attacks • Types of Attacks
• • • • • • • •
Penetration Testing, Simplified. Scanning is Not Testing. Ethics & Hacking. Test Well. Test Often. Penetration Testing Process Pen Test to Avoid a Mess. Six-phase Methodology. A Few Key Takeaways!
Security Architecture • Security Infrastructure (PKI/FWs/IDSes)
• Network security • Host security • Workstation security • Application security • Physical security • Human security
Recent Detrimental Attacks • Three Indian defendants (2008) hacked a brokerage firm using pump and dump scheme. • Russian hacking group (RBN) stole millions of dollars from CiTi Bank using “Black Energy” (2009). • German Banks lost 300 K Euros using new malware (2009). • A massive joint operation between US and Egyptian law enforcement that is called “Phish Pry” to catch 100 American and Egyptian defendants who hacked America Banking Systems collecting individual account information(2009). • Iraqi insurgents intercepted live videos from US Predator drones using on-line available software.
Most Serious Attacks • Use Advanced Persistent Threat (APT) • Attack Subcontractors!
There is a particularly devious type of malicious software that locks users out of their own computer systems until an individual agrees to pay a ransom to the hackers. In these cases, the FBI has surprisingly suggested just ponying up the dough.
“The ransomware is that good,” said Bonavolonta at the 2015 Cyber Security Summit in Boston, as quoted by Security Ledger. “To be honest, we often advise people just to pay the ransom.” “Have they lost the technical battle?” !!!
The Attacker Profile • External • With zero previous knowledge • With some degree of knowledge • Internal • With zero previous knowledge • With some degree of knowledge • Associate
• For the fifth straight year, identity theft ranked first of all fraud complaints. • Ten million cases of Identity Theft annually. • 59% of companies have detected some internal abuse of their networks
Types of Attacks • Operating system attacks. Attackers look for OS vulnerabilities (via services, ports and modes of access) and exploit them to gain access. • Application-level attacks (programming errors; buffer overflow). • Shrink wrap code attacks. OS or applications often contain sample scripts for administration. If these scripts were not properly fined tune, it may lead to default code or shrink wrap code attacks • Misconfiguration attacks. System that should be fairly secured are hacked into because they were not configured correctly.
Permission to pen test •
How effective are your existing security controls against a
skilled adversary? Discover the answer with penetration
testing. •
The main difference between a penetration test and an
attacker is permission. A hacker simply won’t ask for permission when trying to expose your critical systems
and assets, so pen test to protect. •
A pen test is not just a hacking exercise. It’s an essential
part of your complete risk assessment strategy.
Test Often • It is a good idea to test at regular intervals; after all you wouldn’t skip your own checkup, right? Penetration • testing should be performed on a regular basis to create a more consistent and lower-risk security program. • In addition to regularly scheduled analysis and assessments required by regulatory mandates, test when: • New network infrastructure or applications are added • Significant upgrades or modifications are applied to infrastructure or applications • New office locations are established • Security patches are applied • End user policies are modified
Ethics and Hacking Getting Permission to hack Code of Ethics Canons Stay Ethical Gray Hat and Black Hat Hackers Ethical hacking Standards Laws • Setting up a lab • Download Links and Support Files • HackingDojo.com
Vulnerability Assessment • The vast amount of functionality provided by an organization’s networking database and desktop software can be used against them. R Reliability versus Complexity! C
• Using a network scanner to probe ports and services on a range of IP addresses. It provides a list of vulnerabilities and counter measures. • Sounds easy..? • No, the problem these automatically generated reports don’t understand the proper context of its findings. Some vulnerabilities are called “Hi” which are less probable in practice. Other are called ”Lo” which are highly probable in practice. • Hackers, in some cases, know this. • Tools
PenTesting
Internet or Insider
Hop Break
Own
Own! • Have root privileges on the most critical UNIX or Linux system. • Have administrator account. • Trophies: • • • • •
CEO passwords Laptops of CFO and CIO Company trade secrets Secret files Router PW(s)
Penetration Testing Process (i) 1.
Form Three teams:
• Red (Attackers) • White (Administrators) • Blue (Management overseeing the test)
2. Rules 1. 2. 3. 4. 5. 6. 7. 8.
Objectives What to attack Who knows what about the other teams (single or double blind) Start and stop times Legal issues Nondisclosure Reporting Formal approval (get Out of Jail Card).
Penetration Testing Process (ii) 3. Passive Scanning
• Website and source code, News groups and Social networking • Whois database • Edgar database (EDGAR, the Electronic Data Gathering, Analysis, and Retrieval system, performs automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others who are required by law to file forms with the U.S. Securities and Exchange Commission the "SEC") • ARIN (ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach.) • RIPE (Réseaux IP Européens (RIPE, French for "European IP Networks") is a forum open to all parties with an interest in the technical development of the Internet.) • Google, Monster.com,..etc. • Dumpster diving (Dumpster diving is the practice of sifting through commercial or residential waste to find items that have been discarded by their owners, but that may prove useful to the picker.)
Penetration Testing Process (iii) 4. Active Scanning
• Probe the target’s public exposure with scanning tools, this may include: • • • •
Commercial scanning tools Banner grapping Social engineering War Dialing
(War dialing refers to the use of various kinds of technology to automatically dial many phone numbers, usually in order to find weak spots in an IT security architecture. Hackers often use war dialing software, sometimes called "war dialers" or "demon dialers," to look for unprotected modems.)
• DNS zone transfer (DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. Zone transfers may be performed using two methods, full AXFR[1] and incremental IXFR.) • Sniffing traffic • Wireless War Diving (Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant(PDA).)
Penetration Testing Process (iv) 5. Attack Surface Enumeration
• Probe the target network to identify, enumerate, and document each exposed device: • • • •
Network mapping Perimeter firewalls Router and switch locations LAN, MAN and WAN connections
6. Fingerprinting • Identify: • • • •
Operating systems and patch level Open ports Running Services User accounts
Penetration Testing Process (v) 7.
Target System Selection
8.
Exploiting the uncovered vulnerabilities
9.
Escalation of Privileges
Identify the most useful and vulnerable target • Network • Kill Services • Kill Server
• Administrative Rights • Cracked Passwords • Buffer overflow to gain local versus remote control
10. Documentation and Reporting
In Summary Network Vulnerability Testing Web Vulnerability Testing Wireless War Driving/ Walking Phone Network Testing Social Engineering Testing Walk-throughs and Dumpster Diving Physical Security Auditing
Go beyond network testing! • Vulnerability scanning is not penetration testing. • Conduct penetration testing as often as necessary. • Follow the steps: Penetration testing is an art form, but it’s vital to follow a methodology to ensure success. • When the penetration test is complete, make sure to clean up after yourself. • Remember to validate remediated vulnerabilities to ensure they were properly mitigated.
Pen Test to Avoid a Mess (i) Intelligently manage vulnerabilities • Through penetration testing, you can proactively identify the most exploitable vulnerabilities and eliminate false positives. This allows your organization to prioritize remediation efforts, apply needed security patches, and efficiently allocate security resources. Avoid the cost of network downtime
• Recovering from a security breach can cost your organization big time–customer protection and retention, legal activities, discouraged business partners, lowered employee productivity, and reduced revenue–just to name a few pitfalls. • Pen testing helps you avoid these financial drawbacks by identifying and addressing risks before attacks or security breaches occur.
Pen Test to Avoid a Mess (ii) Meet regulatory requirements and avoid fines • Penetration testing helps organizations address regulatory requirements such as PCIDSS. • This can be a formidable task requiring a combination of resources, time, and a little bit of planning. Detailed reports showing test results and validating remediation efforts can help you avoid significant fines for non-compliance and allow you to illustrate ongoing due diligence to assessors. Preserve corporate image and customer loyalty • Even a single incident of compromised customer data can be costly in terms of lost revenue and a tarnished brand image. With customer retention costs higher than ever, no one wants to lose the loyal users that they’ve worked hard to earn, and data breaches are likely to impact new business efforts. Penetration testing helps you dodge these avoidable incidents that put your organization’s reputation and trustworthiness at stake.
A pen test can be broadly carried out by the following six-phase methodology: • Planning and Preparation Planning and Penetration • (Information Assembling and Analysis), Discovery Preparation Attempt • Discovery • (Vulnerability Detection), • Penetration Attempt Final Analysis and Clean Up Remediation Reporting • (Privilege Escalation), • Analysis and Reporting, • Clean Up, and • Finally Remediation
Web-based Information Collection
Broad Network Mapping
Social Engineering
Reconnaissance
DDOS Code Installation
Service Vulnerability Exploitation Targeted Scan
Scanning
Password Cracking
System Access
Preventive Phase (Defense)
Proactive Security (Real Time)
Use Stolen Accounts For Attack
System File Deletion
Damage
Log File Changes
Clear Tracks
Penetration Testing Report (Recommendation for Security)
Reactive Security (Incident Response)
Pen testing is not a “guessing game!“ Like everything in information security, there’s a process Planning and Preparation:
• Clear goals equal clear results Meet with your team to discuss the scope, objective, and who will be involved in the testing. Before diving in, you must decide on a clear objective and of course get authorization from IT operations. • Scoping After setting a distinct goal, such as exploiting recently discovered vulnerabilities in your shiny new HR application, the next action is scoping. Identify the machines, systems and network, operational requirements and the staff involved. The way in which the pen test results will be illustrated should also be decided. Discussing timing and coordinating with IT operations is vital, as it will ensure that while the penetration tests are being conducted, business as usual remains business as usual.
Discovery (i) • Obtain open, accessible data from your targets. It’s time to get vulnerable! • During this phase, the team performs reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target. There are many ways to gather this data and it depends on the target (Network, Web, or Client). • Network Discovery: Attempt to discover additional systems, servers, and devices • Host Discovery: Determine open ports on these devices • Service Interrogation: Interrogate ports to find actual services running on them
Discovery (ii) • A penetration tester will most likely use automated tools to scan target assets for known vulnerabilities. • These tools will most likely have their own databases detailing the latest vulnerabilities. • Completion of this vulnerability assessment will produce a list of targets to investigate in depth. • Sometimes the results from these scans can be overwhelming, with thousands or even tens of thousands of assets and vulnerabilities. • So, it’s important to ensure you have effective prioritization methods in place that can provide contextual information behind these vulnerabilities to equip you with the information you need to make a decision on what to test first.
Penetration Attempt Exploit-A-Thon. • Knowing a vulnerability exists on a target doesn’t necessarily mean it can be exploited easily. So, it’s not always possible to successfully penetrate even if it is theoretically possible. Exploits that do exist should be tested on the target before conducting any other tests. • Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits on other internal resources. Very often this is achieved through higher levels of security clearance and information via privilege escalation.
• The penetration attempts don’t end here. Organized social engineering campaigns with phishing emails can also be effective at gauging employee awareness, the impact of their behavior, and adherence to existing security controls.
Analysis and Reporting So, tell us all what you have found. • The report should start with an overview of the penetration testing process, followed by an analysis of high-risk vulnerabilities. These critical vulnerabilities are addressed first with lower-risk vulnerabilities following in suit. • To strengthen the decision making process, vulnerability prioritization is a must. Organizations may accept the risk incurred from less critical vulnerabilities and focus on fixing the most critical that could negatively impact business processes. The other contents of the report should be as follows: • Summary of successful penetration scenarios • Detailed listing of information gathered during penetration testing • Detailed listing of vulnerabilities found • Description of all vulnerabilities found • Suggestions and techniques to resolve vulnerabilities found
Clean Up Go Clean Your Room! • Unfortunately, messes can happen as a result of pen testing. A detailed and exact list of actions performed during the penetration test should be recorded. • Compromised hosts should be restored to their original state, so they don’t negatively impact the organization’s operations. • This activity should be verified by the staff to ensure it has been done successfully. • Poor practices and improperly documented actions during a penetration test will result in a long, painful clean up process.
Remediation Patch it up. • Patching is vital. The final phase of the six-phase penetration testing methodology is all about remediation. Once the testing exercises have been completed on the target systems, all available patches should be deployed according to the criticality of the vulnerability. • The vulnerability reports resulting from the previous phase will show exactly which exploits were executed, the host they were found on, and the name of the vulnerability (CVE) if there is one. • After patches have been deployed, it is a best practice to validate remediated vulnerabilities to ensure they were properly mitigated.
Conclusions • Corporations have to consider Pentest as a necessary Information Security practice. • The current state of the penetration test practice is improving. • Automating some of the processes may amend Pentest, however, many technical problems have to be solved. • It may be a new challenge for the IS industry in the near future. http://www.securitywizardry.com/radar.htm
Much More to Learn!
![Pentesting Android Mobile Application [PDF]](https://m.moam.info/img/260x300/pentesting-android-mobile-application-pdf_6486ee0b098a9e496a8b4626.jpg)
