Penetration Testing
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Penetration Testing as PDF for free.
More details
- Words: 1,545
- Pages: 52
Improving Application Security through Penetration Testing
Dominick Baier ([email protected]) Security Consultant / BS 7799 Lead Auditor ERNW GmbH
Outline • • • • •
What is Penetration Testing and Auditing Standards and Ethics The Process of Testing Pen-Testing Web Applications The Tools
2
"Improving the Security of Your Site by Breaking Into it" (Dan Farmer/Wietse Venema, 1993) http://www.fish.com/security/admin-guide-to-cracking.html
3
Penetration Testing vs. Auditing •
Penetration Testing - Simulating a motivated attacker for a specific amount of time - Black Box / White Box Approach - Is more like a snapshot of the current security of a system or a business process
•
Auditing - Analyzing
• • •
Configuration Files Architecture Source Code
- Policy conformance
•
Operational Plans and Procedures 4
Why Penetration Testing •
To measure the security of a system, network or a business process - By a third party
•
To assess possible Risks
•
To make the upper management "security aware"
5
Possible Goals of a Penetration Test •
How much information about our network is publicly available ?
• • •
Is it possible to compromise this and that system ? Is it possible to disturb business process X ? How effective work our security controls ? - Firewall - AntiVirus / Spam / Content Filter - Intrusion Detection Systems
• •
Is our Information Security Policy correctly enforced ?
•
"Are we safe ?"
Can employees compromise workstation security?
6
What can be tested •
Servers and Workstations - Web Server - Database Server - Domain Controller - Workstations
•
Infrastructure - Network Devices - Wireless Networks - Dial-In Access - VPNs
• •
Applications Employees (Social Engineering)
7
Attackers to simulate •
Outside Attackers - Script Kiddies - Competitors - Terrorists - Journalists
•
Insiders - Employees - Disgruntled Employees - Contractors - Consultants
8
Standards •
Pete Herzogs's OSSTM "Open Source Security Testing Methodology Manual" - Very practical approach - Checklists of what and in which order to test - List of tools
•
ISO 17799 / BS 7799 Standard for Information Security - Focuses more on the policy and paper work side of security - Extensive catalog of security controls - Defines a standard for audits
•
NIST Guidelines for Network Security Testing
9
Ethics •
Findings are under strict NDAs
•
No information gathered during the test - is sent in clear text over the internet - is used for personal profit
• •
ISACA Code of Professional Ethics
•
Full Disclosure
ISC
2
Code of Ethics
10
The STRIDE Threat Model •
STRIDE - Spoofing Identity - Tampering with data - Repudiation - Information Disclosure - Denial of Service - Elevation of Privilege
11
The Pen-Tester's Mantra • • • • • • •
Segregation of Duties Minimal Machine Least Privilege Patch-Level Defense in Depth Secure the Weakest Link Strong Authentication
12
Course of Actions •
Opening Meeting - Goals of the Pen-Test - Scope - Responsible Admins
•
The Audit / Test itself
•
The Report - Found issues - Countermeasures - Prioritization
•
Closing Meeting
13
Stages of a Pen-Test • • •
Gathering Information Analyzing the Infra-Structure Analyzing the Machines - Fingerprinting - Port / Vulnerability-Scanning - Attacking the System / Proof of Concept
•
Analyzing Applications - Functional / Structural Analysis - Attacking Authentication and Authorization - Attacking Data and Back-End Communication - Attacking Clients
14
Information Gathering •
In this phase you try to compile as much publicly available information as possible - Internic - IANA / RIPE - Whois - Google / Usenet - Private homepages of employees - Email Addresses - Telephone numbers
15
16
17
Information Gathering •
Google Search-Syntax - allintitle:"Index of /etc" - site:gov site:mil site:ztarget.com - filetype:doc filetype:pdf
filetype:xls
- intitle:, inurl:, allinurl: - allinurl:mssql, allinurl:gw … - inurl:".aspx?ReturnUrl=" - "+www.ernw.+de" - related:www.ernw.de - login site:www.microsoft.com - [cached]
18
19
20
21
22
23
24
Information Gathering •
Mailing-Lists / Forums / Usenet - Some vendors even post internal support questions to public newsgroups
?
25
Information Gathering •
Mailing-Lists / Forum / Usenet
Invitation?
26
Analyzing the Infra-Structure and Machines •
A layered modell
Data
Data
Application
Application
Service
Service
OS
OS Network
27
Analyzing the Infra-Structure and Machines •
The Reality Auth Database
Data
LDAP
HTTP
DCOM
SOCKETS
CORBA
Browser
Web Server
Web Content
Application Server
Database Server
Audit Logs
28
Analyzing the Infra-Structure and Machines • • • • •
Querying System and DNS Information Portscanning Fingerprinting Vulnerability Scanning Exploiting a Vulnerability
29
Querying System and DNS Information •
TraceRoute - Tracing the network route give you information about
• •
The provider Type of connection - Simple / Redundant / Load Balanced
- At which hop gets ICMP blocked?
30
Querying System and DNS Information •
DNS Zone transfer - DNS Server should be configured to allow Zone Transfers only to specific peers - DNS Zones are very interesting
• •
Which machines are listed in the Zone Get information about IP network-structure
31
Portscanning & Fingerprinting • • •
•
Port Scanning gives you information about which ports a machine listens on Every open port is potentially vulnerable More advanced scanners try to figure out what kind of software (+ vendor and version) is installed
Most popular Port Scanners - SuperScan (www.foundstone.com) - NMAP (www.insecure.org/nmap)
32
Banner Grabbing • •
Connect with Netcat or Telnet to a service You will often get detailed information
33
Vulnerability Scanner •
Automated scanners that check for known vulnerabilities - They often give you more information for vulnerability investigation
•
There are vulnerability and exploit databases on the internet - SecurityFocus (www.securityfocus.com) - Packet Storm (www.packetstormsecurity.com)
34
Vulnerability Scanner •
System / Host Scanner - Nessus (www.nessus.org) - Retina (www.eeye.com) - ISS Security Scanner (www.iss.net) - Microsoft MBSA (www.microsoft.com)
•
Database Scanner - MetaCoreTex (www.metacoretex.com) - AppSecInc AppDetective (www.appsecinc.com) - ISS Database Scanner (www.iss.net)
•
Web Server Scanner - Nikto (www.cirt.net)
35
Vulnerability Investigation •
www.securityfocus.com/bid
36
Vulnerability Investigation •
www.packetstormsecurity.org
37
Pen-Testing Web Applications •
Visualize the HTTP Traffic - Sniffer (e.g. Ethereal) - Web Proxies
• • •
Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip) Fiddler (www.fiddlertool.com) WebProxy (www.atstake.com)
- Hand craft HTTP Requests
•
Wfetch & Tinyget (IIS6 Resource Kit)
Page
Path
Auth?
SSL?
Index.aspx
/
N
N
login.aspx
/login/
N
Y
about.aspx
/about/
N
N
GET/POST
Comment
POST
Login Page Email Addresses 38
Structural Analysis •
...or graphical
39
Pen-Testing Web Applications •
Try some URLs - Common Directories • /html, /images, /jsp, /cgi - "Hidden" Directories • /admin, /secure, /adm, /management - Backup and Log Files • /.bak, /backup, /back, /log, /logs, /archive, /old - Include Files • /include, /inc, /js, /global, /local - Lokalized Versions • /de, /en, /1033 - trace.axd
•
Look at the HTTP Status Codes - Everything besides 404 ist interesting
40
Pen-Testing Web Applications •
Look for - Cascading Style Sheets (.css) - XML Dateien / XML Stylesheets (.xml / .xsl) - JavaScript Dateien (.js) - Include Files (.inc) - Text Dateien (.txt) - Comments - Client-Side Validation - Forms
• • •
Hidden Fields Password Fields MaxLength Attributes
41
Pen-Testing Web Applications •
"Odd" Query Strings
www.site.com/show.aspx?content=marketing.xml www.site.com/UserArea/default.php?UserID=5 www.site.com/dbsubmit.php?Title=Mr&Phone=123 www.site.com/menu.asp?sid=73299
•
Cookie values
42
Canonicalization Errors •
Popular Examples - Apache WebServer
•
/scripts und /SCRIPTS
- Microsoft IIS 5
•
../ and .%2e%2f
- ISS Firewall
•
action=delete and action=%64elete
- Microsoft IE4
•
Dotless IP Bug
- ASP.NET Authorization Canonicalization Bug
•
http://localhost/formsec/secure%5csecret.aspx
43
Resource Names •
Example
http://server/cms/show.aspx?file=content.xml
•
Can I use this page to show other files?
http://server/cms/show.aspx?file=../web.config
•
Try some variations
http://server/cms/show.aspx?file=../web.config. http://server/cms/show.aspx?file=../web.config::$DATA http://server/cms/show.aspx?file=..%5cweb.config http://server/cms/show.aspx?file=..%255cweb.config http://server/cms/show.aspx?file=..%%35%63web.config
44
Testing for SQL Injection • • •
Try if you can inject SQL code in forms If the programmer simply concatenates user input with SQL statements a database compromise is most likely possible Try to generate errors - Insert a ' character - Does the application behave different ? - Is maybe even a database error returned ?
•
You can execute nasty statements through SQL Injection - Union - Drop... - XP_CMDSHELL 45
Testing for Cross Site Scripting •
Cross Site Scripting let's an attacker inject script code in Web Pages
•
This happens when the Application directly outputs client input whithout proper HTML encoding
•
Can be hard to find - look in - Query Strings - Form Fields - HTTP Headers
•
Enables Cookie Stealing / Harvesting Attacks
•
Many Developers rely on ASPX's ValidateRequest - Try <%00...> encoding
46
Tools •
Automatic Mirroring of Web Sites - wget (www.gnu.org/directory/wget.html) - Black Widow (www.softbytelabs.com) - Teleport Pro (www.tenmax.com)
•
Web Scanner - WebInspect (www.spidynamics.com) - NStealth (www.nstalker.com)
•
ASP.NET Specific Scanners - ASP.NET Security Analyzer (www.owasp.org) - ASP.NET Shared Hosting Analyzer (www.owasp.org)
47
Conclusion • • • •
Pen-Testing is no Black Magic Very systematic procedure If you follow the 7 golden rules, you can eliminate most of the vulnerabilities Do regular Pen-Tests or Audits - you can only benefit - Internal and third party
48
•
Questions ?
you can download the slides from www.leastprivilege.com
49
Links •
OSSTM - www.isecom.org
•
NIST Draft Guidelines to Network Security Testing - http://csrc.nist.gov/publications/drafts/security-testing.pdf
•
ISC
2
Code of Ethics:
- https://www.isc2.org/cgi/content.cgi?category=12
•
ISACA Code of Professional Ethics - http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1
50
Links •
Wfetch - (http://download.microsoft.com/download/d/e/5/de5351d64463-4cc3-a27c-3e2274263c43/wfetch.exe)
•
NetCat - http://www.atstake.com/research/ tools/network_utilities/nc11nt.zip)
51
Dominick Baier ([email protected]) Security Consultant / BS 7799 Lead Auditor ERNW GmbH
Outline • • • • •
What is Penetration Testing and Auditing Standards and Ethics The Process of Testing Pen-Testing Web Applications The Tools
2
"Improving the Security of Your Site by Breaking Into it" (Dan Farmer/Wietse Venema, 1993) http://www.fish.com/security/admin-guide-to-cracking.html
3
Penetration Testing vs. Auditing •
Penetration Testing - Simulating a motivated attacker for a specific amount of time - Black Box / White Box Approach - Is more like a snapshot of the current security of a system or a business process
•
Auditing - Analyzing
• • •
Configuration Files Architecture Source Code
- Policy conformance
•
Operational Plans and Procedures 4
Why Penetration Testing •
To measure the security of a system, network or a business process - By a third party
•
To assess possible Risks
•
To make the upper management "security aware"
5
Possible Goals of a Penetration Test •
How much information about our network is publicly available ?
• • •
Is it possible to compromise this and that system ? Is it possible to disturb business process X ? How effective work our security controls ? - Firewall - AntiVirus / Spam / Content Filter - Intrusion Detection Systems
• •
Is our Information Security Policy correctly enforced ?
•
"Are we safe ?"
Can employees compromise workstation security?
6
What can be tested •
Servers and Workstations - Web Server - Database Server - Domain Controller - Workstations
•
Infrastructure - Network Devices - Wireless Networks - Dial-In Access - VPNs
• •
Applications Employees (Social Engineering)
7
Attackers to simulate •
Outside Attackers - Script Kiddies - Competitors - Terrorists - Journalists
•
Insiders - Employees - Disgruntled Employees - Contractors - Consultants
8
Standards •
Pete Herzogs's OSSTM "Open Source Security Testing Methodology Manual" - Very practical approach - Checklists of what and in which order to test - List of tools
•
ISO 17799 / BS 7799 Standard for Information Security - Focuses more on the policy and paper work side of security - Extensive catalog of security controls - Defines a standard for audits
•
NIST Guidelines for Network Security Testing
9
Ethics •
Findings are under strict NDAs
•
No information gathered during the test - is sent in clear text over the internet - is used for personal profit
• •
ISACA Code of Professional Ethics
•
Full Disclosure
ISC
2
Code of Ethics
10
The STRIDE Threat Model •
STRIDE - Spoofing Identity - Tampering with data - Repudiation - Information Disclosure - Denial of Service - Elevation of Privilege
11
The Pen-Tester's Mantra • • • • • • •
Segregation of Duties Minimal Machine Least Privilege Patch-Level Defense in Depth Secure the Weakest Link Strong Authentication
12
Course of Actions •
Opening Meeting - Goals of the Pen-Test - Scope - Responsible Admins
•
The Audit / Test itself
•
The Report - Found issues - Countermeasures - Prioritization
•
Closing Meeting
13
Stages of a Pen-Test • • •
Gathering Information Analyzing the Infra-Structure Analyzing the Machines - Fingerprinting - Port / Vulnerability-Scanning - Attacking the System / Proof of Concept
•
Analyzing Applications - Functional / Structural Analysis - Attacking Authentication and Authorization - Attacking Data and Back-End Communication - Attacking Clients
14
Information Gathering •
In this phase you try to compile as much publicly available information as possible - Internic - IANA / RIPE - Whois - Google / Usenet - Private homepages of employees - Email Addresses - Telephone numbers
15
16
17
Information Gathering •
Google Search-Syntax - allintitle:"Index of /etc" - site:gov site:mil site:ztarget.com - filetype:doc filetype:pdf
filetype:xls
- intitle:, inurl:, allinurl: - allinurl:mssql, allinurl:gw … - inurl:".aspx?ReturnUrl=" - "+www.ernw.+de" - related:www.ernw.de - login site:www.microsoft.com - [cached]
18
19
20
21
22
23
24
Information Gathering •
Mailing-Lists / Forums / Usenet - Some vendors even post internal support questions to public newsgroups
?
25
Information Gathering •
Mailing-Lists / Forum / Usenet
Invitation?
26
Analyzing the Infra-Structure and Machines •
A layered modell
Data
Data
Application
Application
Service
Service
OS
OS Network
27
Analyzing the Infra-Structure and Machines •
The Reality Auth Database
Data
LDAP
HTTP
DCOM
SOCKETS
CORBA
Browser
Web Server
Web Content
Application Server
Database Server
Audit Logs
28
Analyzing the Infra-Structure and Machines • • • • •
Querying System and DNS Information Portscanning Fingerprinting Vulnerability Scanning Exploiting a Vulnerability
29
Querying System and DNS Information •
TraceRoute - Tracing the network route give you information about
• •
The provider Type of connection - Simple / Redundant / Load Balanced
- At which hop gets ICMP blocked?
30
Querying System and DNS Information •
DNS Zone transfer - DNS Server should be configured to allow Zone Transfers only to specific peers - DNS Zones are very interesting
• •
Which machines are listed in the Zone Get information about IP network-structure
31
Portscanning & Fingerprinting • • •
•
Port Scanning gives you information about which ports a machine listens on Every open port is potentially vulnerable More advanced scanners try to figure out what kind of software (+ vendor and version) is installed
Most popular Port Scanners - SuperScan (www.foundstone.com) - NMAP (www.insecure.org/nmap)
32
Banner Grabbing • •
Connect with Netcat or Telnet to a service You will often get detailed information
33
Vulnerability Scanner •
Automated scanners that check for known vulnerabilities - They often give you more information for vulnerability investigation
•
There are vulnerability and exploit databases on the internet - SecurityFocus (www.securityfocus.com) - Packet Storm (www.packetstormsecurity.com)
34
Vulnerability Scanner •
System / Host Scanner - Nessus (www.nessus.org) - Retina (www.eeye.com) - ISS Security Scanner (www.iss.net) - Microsoft MBSA (www.microsoft.com)
•
Database Scanner - MetaCoreTex (www.metacoretex.com) - AppSecInc AppDetective (www.appsecinc.com) - ISS Database Scanner (www.iss.net)
•
Web Server Scanner - Nikto (www.cirt.net)
35
Vulnerability Investigation •
www.securityfocus.com/bid
36
Vulnerability Investigation •
www.packetstormsecurity.org
37
Pen-Testing Web Applications •
Visualize the HTTP Traffic - Sniffer (e.g. Ethereal) - Web Proxies
• • •
Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip) Fiddler (www.fiddlertool.com) WebProxy (www.atstake.com)
- Hand craft HTTP Requests
•
Wfetch & Tinyget (IIS6 Resource Kit)
Page
Path
Auth?
SSL?
Index.aspx
/
N
N
login.aspx
/login/
N
Y
about.aspx
/about/
N
N
GET/POST
Comment
POST
Login Page Email Addresses 38
Structural Analysis •
...or graphical
39
Pen-Testing Web Applications •
Try some URLs - Common Directories • /html, /images, /jsp, /cgi - "Hidden" Directories • /admin, /secure, /adm, /management - Backup and Log Files • /.bak, /backup, /back, /log, /logs, /archive, /old - Include Files • /include, /inc, /js, /global, /local - Lokalized Versions • /de, /en, /1033 - trace.axd
•
Look at the HTTP Status Codes - Everything besides 404 ist interesting
40
Pen-Testing Web Applications •
Look for - Cascading Style Sheets (.css) - XML Dateien / XML Stylesheets (.xml / .xsl) - JavaScript Dateien (.js) - Include Files (.inc) - Text Dateien (.txt) - Comments - Client-Side Validation - Forms
• • •
Hidden Fields Password Fields MaxLength Attributes
41
Pen-Testing Web Applications •
"Odd" Query Strings
www.site.com/show.aspx?content=marketing.xml www.site.com/UserArea/default.php?UserID=5 www.site.com/dbsubmit.php?Title=Mr&Phone=123 www.site.com/menu.asp?sid=73299
•
Cookie values
42
Canonicalization Errors •
Popular Examples - Apache WebServer
•
/scripts und /SCRIPTS
- Microsoft IIS 5
•
../ and .%2e%2f
- ISS Firewall
•
action=delete and action=%64elete
- Microsoft IE4
•
Dotless IP Bug
- ASP.NET Authorization Canonicalization Bug
•
http://localhost/formsec/secure%5csecret.aspx
43
Resource Names •
Example
http://server/cms/show.aspx?file=content.xml
•
Can I use this page to show other files?
http://server/cms/show.aspx?file=../web.config
•
Try some variations
http://server/cms/show.aspx?file=../web.config. http://server/cms/show.aspx?file=../web.config::$DATA http://server/cms/show.aspx?file=..%5cweb.config http://server/cms/show.aspx?file=..%255cweb.config http://server/cms/show.aspx?file=..%%35%63web.config
44
Testing for SQL Injection • • •
Try if you can inject SQL code in forms If the programmer simply concatenates user input with SQL statements a database compromise is most likely possible Try to generate errors - Insert a ' character - Does the application behave different ? - Is maybe even a database error returned ?
•
You can execute nasty statements through SQL Injection - Union - Drop... - XP_CMDSHELL 45
Testing for Cross Site Scripting •
Cross Site Scripting let's an attacker inject script code in Web Pages
•
This happens when the Application directly outputs client input whithout proper HTML encoding
•
Can be hard to find - look in - Query Strings - Form Fields - HTTP Headers
•
Enables Cookie Stealing / Harvesting Attacks
•
Many Developers rely on ASPX's ValidateRequest - Try <%00...> encoding
46
Tools •
Automatic Mirroring of Web Sites - wget (www.gnu.org/directory/wget.html) - Black Widow (www.softbytelabs.com) - Teleport Pro (www.tenmax.com)
•
Web Scanner - WebInspect (www.spidynamics.com) - NStealth (www.nstalker.com)
•
ASP.NET Specific Scanners - ASP.NET Security Analyzer (www.owasp.org) - ASP.NET Shared Hosting Analyzer (www.owasp.org)
47
Conclusion • • • •
Pen-Testing is no Black Magic Very systematic procedure If you follow the 7 golden rules, you can eliminate most of the vulnerabilities Do regular Pen-Tests or Audits - you can only benefit - Internal and third party
48
•
Questions ?
you can download the slides from www.leastprivilege.com
49
Links •
OSSTM - www.isecom.org
•
NIST Draft Guidelines to Network Security Testing - http://csrc.nist.gov/publications/drafts/security-testing.pdf
•
ISC
2
Code of Ethics:
- https://www.isc2.org/cgi/content.cgi?category=12
•
ISACA Code of Professional Ethics - http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1
50
Links •
Wfetch - (http://download.microsoft.com/download/d/e/5/de5351d64463-4cc3-a27c-3e2274263c43/wfetch.exe)
•
NetCat - http://www.atstake.com/research/ tools/network_utilities/nc11nt.zip)
51
Related Documents
Penetration Testing
May 2020 9
Penetration Testing
May 2020 6
Final Project - Penetration Testing
April 2020 5
Security Assessment Vs Penetration Testing
October 2019 15
Cehv8 Module 20 Penetration Testing
August 2019 8