pentesting - owasp · pentesting what? servers, mobile devices, embedded devices, networks, rf,...
TRANSCRIPT
Pentesting
Jacco van Tuijl
17 september 2015
1 Pentesting presentation
Pentesting What? Servers, mobile devices, embedded devices,
networks, RF, (web) application security, physical security and the human.
Goal? Identify vulnerabilities and advice about risk
and possible solutions.
How?
Pentesting presentation 2
Pentest phases
1. Preparation
2. Foot-printing
3. Finger-printing
4. Vulnerability assessment
5. Verification and exploitation
6. Post exploitation
7. Report
3 Pentesting presentation
Preparation • Scope / goal / targets • Signed pentest waiver (also 3th party) • Date and time of execution • Black box / gray box / crystal box • Intrusive / non intrusive • Privileged / non privileged • Internet / LAN • With or without informing other
employees
4 Pentesting presentation
Foot-printing
• Open sources
like Google, news paper, website,
www.code1000.com(dutch), social
media, etc
5 Pentesting presentation
DNS
6 Pentesting presentation
DNS Tools
• Whois
• Zone transfer
• Sub-domains
• DNSmap, DNSenum, DNSBrute,
DNSRecon
7 Pentesting presentation
Whois
8 Pentesting presentation
DNSMap
9 Pentesting presentation
Demo
Robtex.com
10 Pentesting presentation
Ripe
11 Pentesting presentation
DNS Zone transfer
• Host -la voorbeelddomein.nl
• dig @8.8.8.8 voorbeelddomein.nl axfr
• Nslookup
12 Pentesting presentation
Visual traceroute
Pentesting presentation 13
Foca
Pentesting presentation 14
Maltego
Pentesting presentation 15
The harvester
Pentesting presentation 16
Recon-ng
17 Pentesting presentation
Finger-printing
• Portscan
• Crawlers
• Banner grabbing / service discovery
• Sniffing
• Enumeration (smb, ftp, snmp ….)
Pentesting presentation 18
Poortscan
• Nmap
• Angry ip scanner
• Hping
Pentesting presentation 19
HPing
Pentesting presentation 20
NMAP (Demo)
Pentesting presentation 21
Sniffing
• Wireshark / Tshark
• TCPdump
• USB, I2C, JTAG, CAN bus, RF,
ethernet, etc.
• Side channel
Pentesting presentation 22
Wireshark
Pentesting presentation 23
BusPirate, logic analyzer,
GoodFet, Shikra
Pentesting presentation 24
RF
25
Ubertooth
RTL-SDR
HackRF One
Android device (NFCProxy)
Proxmark III
Side channel • Timing attack
• Power / Acoustic / Electromagnetic
analysis
• Differential fault analysis (Poodle)
• Data remanence
• Row hammer
• File size, log size, memory consumption,
CPU utilization, etc.
Pentesting presentation 26
Side channel - timing If (!userExists($USERNAME)
{UsernameOrPasswordIncorect();}
If(userBanned($USERNAME) {UsernameOrPasswordIncorect();} If(checkLogin($USERNAME,$PASSWORD)) {UsernameOrPasswordIncorect();}
Pentesting presentation 27
Vulnerability assessment
• Vulnerability scanners / crawlers /
spiders
• Proxy
• Fuzzing
• Password attacks
• Cryptanalysis
• CVE , exploitDB(searchsploit), bugtraq
shodan
Pentesting presentation 28
Vulnerability scanner / crawlers /
spiders • Vulnerability scanners Nessus, OpenVas, Nexpose, Core
Impact, Qualys • Web application security scanners Nikto, skipfish, arachni, acunetix,
appscan • Applicatie specifiek SAPScan, WPScan, Spscan, Joomscan • Simpel crawling script
Pentesting presentation 29
Nessus
Pentesting presentation 30
Proxy
• OWASP ZAP
• WebScarab
• Burp suit
• IronWasp
• DIY script
Pentesting presentation 31
OWASP ZAP
Pentesting presentation 32
IronWasp
Pentesting presentation 33
Burp suit
demo
Sogeti PowerPoint Referentie 2014 34
FuzzDB
Checkout fuzzdb
github.com/fuzzdb-project
Sogeti PowerPoint Referentie 2014 35
Fuzzing
Sogeti PowerPoint Referentie 2014 36
demo
Verification and exploitation
• Look at open services
• Exploits (metasploit/core
impact/searchsploit/DIY)
• Debuging/decomipling/disassembling/re
• Metasploit
• SQLMap
• Password and hash attacks
• Shell (root/administrator/system)
Pentesting presentation 37
Look at open services
nc 192.124.102.88 1392
Ncat 192.124.102.88 443
telnet 192.124.102.88 1392
Pentesting presentation 38
Debugging, decomipling,
disassembling and RE IDA PRO
OllyDBG
GDB
Dex2jar
SWF Decompiler
Binwalk
Pentesting presentation 39
Searchsploit (demo)
Pentesting presentation 40
Metasploit
Pentesting presentation 41
Metasploit (demo)
Pentesting presentation 42
Hashes (demo)
Pentesting presentation 43
Password and hash attacks
Bruteforce / dictionary / wordlist
Hash cracking
Pass-the-hash
Pentesting presentation TALKS .NET 44
Dictionary & Crunch FuzzDB Wiki.skullsecurity.org/Passwords
crunch 1 1 -t @ -u >wordlist-subdomains.txt crunch 2 2 -t @% -u >> wordlist-subdomains.txt crunch 2 2 -t @@ -u >> wordlist-subdomains.txt crunch 3 3 -t @@% -u >> wordlist-subdomains.txt crunch 3 3 -t @@@ -u >> wordlist-subdomains.txt crunch 4 4 -t @@@% -u >> wordlist-subdomains.txt crunch 4 4 -t @@@@ -u >> wordlist-subdomains.txt crunch 5 5 -t @@@@@ -u >> wordlist-subdomains.txt
Pentesting presentation TALKS .NET 45
Bruteforce – THC Hydra
Pentesting presentation TALKS .NET 46
Hash Cracking
• John the ripper
• CloudCracker.com
• oclHashcat
• ElcomSoft
• BarsWF
Pentesting presentation 47
BarsWF
Pentesting presentation 48
Pass-The-Hash
Pentesting presentation 49
Cracking hashes is not always needed:
Just pass-the-hash with:
Pass-the-hash toolkit
Mimikatz
Medusa
THC hydra Demo
FreeRDP
Cryptanalysis
Known plain text
Brute force
Implementation
Replay, MIT, backdoors
Side channel
Rubber-hose
Pentesting presentation TALKS .NET 50
Post exploitation
• Pivoting / tunneling
• Backdoors
• Privilege escalation
• Hardening & patching
• Erasing tracks
Pentesting presentation TALKS .NET 51
Pivoting and tunneling
• Route add
• METERPRETER > run autoroute –h
• Plink, fport, nc, ncat, OpenVPN and
SSH
• iodine, httptunnel (covert channels)
Pentesting presentation TALKS .NET 52
Erasing tracks
• history -c && exit
• zapper
• METERPRETER > clearrev
• clearlogs.exe
• Ccleaner.exe /AUTO /METHOD “0-3”
• Log flooding
Timestomp (MACE atributes NTFS)
Pentesting presentation 53
Report
• What did you research and what was
the goal?
• What did you not research?
• What did you find?
• Finding, cause, impact and solutionS
• Risk estimation and prioritizing
Pentesting presentation 54
Risk rating
• CVSS
• OWASP risk rating
Pentesting presentation 55
OWASP risk rating
Pentesting presentation 56
More info • Securitytube.net • ptes.org • OWASP • CEH & LPT / OSCP / OSCE • Hacker / security events:
Hardwear.io
Hack in The Box Amsterdam 2016
32c3 - Hamburg
OWASP Meetings & AppSec
Brucon
Pentesting presentation 57