Penetration Testing

Published on July 2016 | Categories: Documents | Downloads: 53 | Comments: 0 | Views: 1067
of 52
Download PDF   Embed   Report

Comments

Content

Improving Application Security through Penetration Testing

Dominick Baier ([email protected]) Security Consultant / BS 7799 Lead Auditor ERNW GmbH

Outline • • • • •
What is Penetration Testing and Auditing Standards and Ethics The Process of Testing Pen-Testing Web Applications The Tools

2

"Improving the Security of Your Site by Breaking Into it"
(Dan Farmer/Wietse Venema, 1993)
http://www.fish.com/security/admin-guide-to-cracking.html

3

Penetration Testing vs. Auditing •
Penetration Testing - Simulating a motivated attacker for a specific amount of time - Black Box / White Box Approach - Is more like a snapshot of the current security of a system or a business process



Auditing - Analyzing

• • • •

Configuration Files Architecture Source Code Operational Plans and Procedures
4

- Policy conformance

Why Penetration Testing •
To measure the security of a system, network or a business process - By a third party

• •

To assess possible Risks To make the upper management "security aware"

5

Possible Goals of a Penetration Test • • • •
How much information about our network is publicly available ? Is it possible to compromise this and that system ? Is it possible to disturb business process X ? How effective work our security controls ? - Firewall - AntiVirus / Spam / Content Filter - Intrusion Detection Systems

• • •

Is our Information Security Policy correctly enforced ? Can employees compromise workstation security? "Are we safe ?"

6

What can be tested •
Servers and Workstations - Web Server - Database Server - Domain Controller - Workstations



Infrastructure - Network Devices - Wireless Networks - Dial-In Access - VPNs

• •

Applications Employees (Social Engineering)

7

Attackers to simulate •
Outside Attackers - Script Kiddies - Competitors - Terrorists - Journalists



Insiders - Employees - Disgruntled Employees - Contractors - Consultants

8

Standards •
Pete Herzogs's OSSTM "Open Source Security Testing Methodology Manual" - Very practical approach - Checklists of what and in which order to test - List of tools



ISO 17799 / BS 7799 Standard for Information Security - Focuses more on the policy and paper work side of security - Extensive catalog of security controls - Defines a standard for audits



NIST Guidelines for Network Security Testing

9

Ethics • •
Findings are under strict NDAs No information gathered during the test - is sent in clear text over the internet - is used for personal profit

• • •

ISACA Code of Professional Ethics ISC
2

Code of Ethics

Full Disclosure

10

The STRIDE Threat Model •
STRIDE - Spoofing Identity - Tampering with data - Repudiation - Information Disclosure - Denial of Service - Elevation of Privilege

11

The Pen-Tester's Mantra • • • • • • •
Segregation of Duties Minimal Machine Least Privilege Patch-Level Defense in Depth Secure the Weakest Link Strong Authentication

12

Course of Actions •
Opening Meeting - Goals of the Pen-Test - Scope - Responsible Admins

• •

The Audit / Test itself The Report - Found issues - Countermeasures - Prioritization



Closing Meeting

13

Stages of a Pen-Test • • •
Gathering Information Analyzing the Infra-Structure Analyzing the Machines - Fingerprinting - Port / Vulnerability-Scanning - Attacking the System / Proof of Concept



Analyzing Applications - Functional / Structural Analysis - Attacking Authentication and Authorization - Attacking Data and Back-End Communication - Attacking Clients

14

Information Gathering •
In this phase you try to compile as much publicly available information as possible - Internic - IANA / RIPE - Whois - Google / Usenet - Private homepages of employees - Email Addresses - Telephone numbers

15

16

17

Information Gathering •
Google Search-Syntax - allintitle:"Index of /etc" - site:gov site:mil site:ztarget.com - filetype:doc filetype:pdf - intitle:, inurl:, allinurl: - allinurl:mssql, allinurl:gw … - inurl:".aspx?ReturnUrl=" - "+www.ernw.+de" - related:www.ernw.de - login site:www.microsoft.com - [cached] filetype:xls

18

19

20

21

22

23

24

Information Gathering •
Mailing-Lists / Forums / Usenet - Some vendors even post internal support questions to public newsgroups

?

25

Information Gathering •
Mailing-Lists / Forum / Usenet

Invitation?

26

Analyzing the Infra-Structure and Machines •
A layered modell

Data Application Service OS Network

Data Application Service OS

27

Analyzing the Infra-Structure and Machines •
The Reality
Auth Database Data

LDAP

HTTP

DCOM CORBA

SOCKETS

Browser

Web Server

Application Server

Database Server

Web Content

Audit Logs

28

Analyzing the Infra-Structure and Machines • • • • •
Querying System and DNS Information Portscanning Fingerprinting Vulnerability Scanning Exploiting a Vulnerability

29

Querying System and DNS Information •
TraceRoute - Tracing the network route give you information about

• •

The provider Type of connection - Simple / Redundant / Load Balanced

- At which hop gets ICMP blocked?

30

Querying System and DNS Information •
DNS Zone transfer - DNS Server should be configured to allow Zone Transfers only to specific peers - DNS Zones are very interesting

• •

Which machines are listed in the Zone Get information about IP network-structure

31

Portscanning & Fingerprinting • • •
Port Scanning gives you information about which ports a machine listens on Every open port is potentially vulnerable More advanced scanners try to figure out what kind of software (+ vendor and version) is installed



Most popular Port Scanners - SuperScan (www.foundstone.com) - NMAP (www.insecure.org/nmap)

32

Banner Grabbing • •
Connect with Netcat or Telnet to a service You will often get detailed information

33

Vulnerability Scanner •
Automated scanners that check for known vulnerabilities - They often give you more information for vulnerability investigation



There are vulnerability and exploit databases on the internet - SecurityFocus (www.securityfocus.com) - Packet Storm (www.packetstormsecurity.com)

34

Vulnerability Scanner •
System / Host Scanner - Nessus (www.nessus.org) - Retina (www.eeye.com) - ISS Security Scanner (www.iss.net) - Microsoft MBSA (www.microsoft.com)



Database Scanner - MetaCoreTex (www.metacoretex.com) - AppSecInc AppDetective (www.appsecinc.com) - ISS Database Scanner (www.iss.net)



Web Server Scanner - Nikto (www.cirt.net)

35

Vulnerability Investigation •
www.securityfocus.com/bid

36

Vulnerability Investigation •
www.packetstormsecurity.org

37

Pen-Testing Web Applications •
Visualize the HTTP Traffic - Sniffer (e.g. Ethereal) - Web Proxies

• • • •
Page
Index.aspx login.aspx about.aspx

Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip) Fiddler (www.fiddlertool.com) WebProxy (www.atstake.com) Wfetch & Tinyget (IIS6 Resource Kit)
Path
/ /login/ /about/

- Hand craft HTTP Requests

Auth?
N N N

SSL?
N Y N

GET/POST

Comment

POST

Login Page Email Addresses
38

Structural Analysis •
...or graphical

39

Pen-Testing Web Applications

Try some URLs - Common Directories • /html, /images, /jsp, /cgi - "Hidden" Directories • /admin, /secure, /adm, /management - Backup and Log Files • /.bak, /backup, /back, /log, /logs, /archive, /old - Include Files • /include, /inc, /js, /global, /local - Lokalized Versions • /de, /en, /1033 - trace.axd Look at the HTTP Status Codes - Everything besides 404 ist interesting



40

Pen-Testing Web Applications •
Look for - Cascading Style Sheets (.css) - XML Dateien / XML Stylesheets (.xml / .xsl) - JavaScript Dateien (.js) - Include Files (.inc) - Text Dateien (.txt) - Comments - Client-Side Validation - Forms

• • •

Hidden Fields Password Fields MaxLength Attributes

41

Pen-Testing Web Applications •
"Odd" Query Strings

www.site.com/show.aspx?content=marketing.xml www.site.com/UserArea/default.php?UserID=5 www.site.com/dbsubmit.php?Title=Mr&Phone=123 www.site.com/menu.asp?sid=73299



Cookie values

42

Canonicalization Errors •
Popular Examples - Apache WebServer

• • • •

/scripts und /SCRIPTS ../ and .%2e%2f action=delete and action=%64elete Dotless IP Bug

- Microsoft IIS 5 - ISS Firewall - Microsoft IE4

- ASP.NET Authorization Canonicalization Bug



http://localhost/formsec/secure%5csecret.aspx

43

Resource Names •
Example

http://server/cms/show.aspx?file=content.xml



Can I use this page to show other files?

http://server/cms/show.aspx?file=../web.config



Try some variations

http://server/cms/show.aspx?file=../web.config. http://server/cms/show.aspx?file=../web.config::$DATA http://server/cms/show.aspx?file=..%5cweb.config http://server/cms/show.aspx?file=..%255cweb.config http://server/cms/show.aspx?file=..%%35%63web.config

44

Testing for SQL Injection • • •
Try if you can inject SQL code in forms If the programmer simply concatenates user input with SQL statements a database compromise is most likely possible Try to generate errors - Insert a ' character - Does the application behave different ? - Is maybe even a database error returned ?



You can execute nasty statements through SQL Injection - Union - Drop... - XP_CMDSHELL
45

Testing for Cross Site Scripting • • •
Cross Site Scripting let's an attacker inject script code in Web Pages This happens when the Application directly outputs client input whithout proper HTML encoding Can be hard to find - look in - Query Strings - Form Fields - HTTP Headers

• •

Enables Cookie Stealing / Harvesting Attacks Many Developers rely on ASPX's ValidateRequest - Try <%00...> encoding

46

Tools •
Automatic Mirroring of Web Sites - wget (www.gnu.org/directory/wget.html) - Black Widow (www.softbytelabs.com) - Teleport Pro (www.tenmax.com)



Web Scanner - WebInspect (www.spidynamics.com) - NStealth (www.nstalker.com)



ASP.NET Specific Scanners - ASP.NET Security Analyzer (www.owasp.org) - ASP.NET Shared Hosting Analyzer (www.owasp.org)

47

Conclusion • • • •
Pen-Testing is no Black Magic Very systematic procedure If you follow the 7 golden rules, you can eliminate most of the vulnerabilities Do regular Pen-Tests or Audits - you can only benefit - Internal and third party

48



Questions ?

you can download the slides from www.leastprivilege.com

49

Links • • • •
OSSTM - www.isecom.org NIST Draft Guidelines to Network Security Testing - http://csrc.nist.gov/publications/drafts/security-testing.pdf ISC
2

Code of Ethics:

- https://www.isc2.org/cgi/content.cgi?category=12 ISACA Code of Professional Ethics - http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1

50

Links • •
Wfetch - (http://download.microsoft.com/download/d/e/5/de5351d64463-4cc3-a27c-3e2274263c43/wfetch.exe) NetCat - http://www.atstake.com/research/ tools/network_utilities/nc11nt.zip)

51

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close