bsides to 2016-penetration-testing

@haydnjohnson

Penetration Testing

I don’t think it means,

what you think it

means

@haydnjohnson

Whoami

Haydn Johnson -

Twitter: @haydnjohnsonFrom: Australia, Lives in TorontoTalks : http://www.slideshare.net/HaydnJohnsonCerts: OSCP | GXPN

Just shy of 4yrs Industry Experience

@haydnjohnson

Penetration Testing

- I don’t think it

means, what you

think it means

@haydnjohnson

Backstory

Multiple understandings of a VA

Multiple Understandings of a PT

Presented at BSidesLV - Automation of Pentesting

@haydnjohnson

Many definitions

Penetration Testing is a term misusedabused Exploited

To the point where it is taken out back in the rain and given a 12-gauge to the head.

@haydnjohnson

Automation of Pentesting - The Trend

Commoditization

@haydnjohnson

Pentest Puppy Mills

� Scan� Scan� Scan� Report� Make report look nice� Make report look nicer� Remove on clients request� Send

@haydnjohnson

The differences

Vulnerability Assessment List Oriented

Penetration TestingGoal Oriented

https://danielmiessler.com/study/vulnerability-assessment-penetration-test/

VULN A

VULN B

VULN C

Phishing

Local Admin

Dump Hashes

Domain Admin

@haydnjohnson

Was I correct????

Let's delve deeper

@haydnjohnson

Penetration Testing - The term

Means many things, or does it?

Are you sure?

@haydnjohnson

But Burp is a penetration Test

It attempts sqli injection.. It penetrates…

It checks for XSS.. It penetrates

id=5 order by 1

@haydnjohnson

NOT a Penetration Test

@haydnjohnson

But Nessus / Nexpose is a Penetration Test

It checks if an exploit is there..

Some checks “do” exploit..

It penetrates

@haydnjohnson

NOT a Penetration Test

@haydnjohnson

Because the title says penetration test

@haydnjohnson

So what is a penetration

test

@haydnjohnson

But you still know it's a CAT err Penetration Test

Round Square

@haydnjohnson

Where does one start

In order to understand what a Penetration Test is, we must look at some standards.

No really. A standard exists!

@haydnjohnson

There are multiple standards

Best practices - just google!

@haydnjohnson

Let us look at

The PTES standard What is in the standard Compare VA -> PT

first second third

� Will explain the key points� Compare with vulnerability assessment� Show example

@haydnjohnson

Penetration Testing Execution Standard

@haydnjohnson

Penetration Testing Execution Standard

By REAL infosec people:Chris NickersonDave KennedyCarlos PerezJohn StrandChris Gates

+ Many more

http://www.pentest-standard.org/index.php/FAQ

@haydnjohnson

The Penetration Testing Execution Standard

Main Section

� Pre-engagement Interactions� Intelligence Gathering� Threat Modeling� Vulnerability Analysis� Exploitation� Post Exploitation� Reporting

http://www.pentest-standard.org/index.php/Main_Page

@haydnjohnson

Goals of the standard

BusinessesThe goal is to enable them to demand a specific baseline of work as part of a pentest.

Service ProvidersThe goal is to provide a baseline for the kinds of activities needed.

@haydnjohnson

“The standard is written for us….anyone and everyone who’s dealing with penetration testing. It is not about a specific product, or even a specific approach or methodology for testing.”

“It is designed so that when it is adhered to, the delivery will be well above a “minimal standard”.

http://www.iamit.org/blog/2016/09/ptes-remaining-impartial-and-insisting-on-high-standards/

Pre-engagement

Time EstimationTied to experience of tester.

20% for padding

Scoping MeetingWhat will be tested

Customer owned?

Validate assumptions

General QuestionsNetwork Pentest

Web Pentest

Physical Pentest

Scope CreepWanting more covered

How to deal with

Specific IP ranges and DomainsIP blocks

Owned by client

Payment TermsUp front

Half way

End

@haydnjohnson

Pre-engagement Interactions

Rules of engagement - what can and cannot be done Scope Testing ScheduleEscalation Procedures

@haydnjohnson

Pre-engagement Interactions - Example

Pentest Form

NameContactsDatesIP Address

https://aws.amazon.com/security/penetration-testing/

@haydnjohnson

Pre-engagement Interactions VA comparison

“I need the things scanned”Overall security postureWhat do I have out there?

Intelligence Gathering

Level 1Compliance

Automated Tools

Level 2Best practice

Understanding of business

Physical location, org chart

Level 3State Sponsored

Heavy analysis,

Social Networks etc

What is itInformation gathering to be utilized to penetrate a target during vulnerability and exploitation phases.

More information, the better.

What it is notNothing found from on-premises

FootprintingScanning

IP blocks

@haydnjohnson

Intelligence Gathering - key points

Dig - axfr

Finding informationHelp identify systemsUsed as base for further steps

@haydnjohnson

Intelligence Gathering - Relationships

Business Partners

Customers

Manual Analysis to vet level 1

Shared office spaces

Shared infrastructure

Rented / Leased Equipment

1 2 3

Amazon

Reseller A

Shop B

Shop C

@haydnjohnson

Intelligence Gathering - Example

DNS Servers

@haydnjohnson

Intelligence Gathering VA comparison

Find hosts that are up and in scope…Scan

Threat Modelling

High Level ProcessGather relevant documentation

Identify & Categorize Assets

Identify & Categorize threats

Map threats against assets

Business Asset AnalysisAsset centric viewAssets most likely to be targeted

Value of assets and impact of loss

Business Process AnalysisHow it makes money

Critical vs noncritical processes

How they can be made to lose money

Threat AgentsInternal / External

Community within location

Capabilities / Motivation

Motivation ModellingConstantly changing

Increase decrease

Threat CapabilityProbability of success

Technical and opportunity

@haydnjohnson

Threat Modelling - High Level

Gather relevant documentationIdentify and categorize primary and secondary assetsIdentify and categorize threats and threat communitiesMap threat communities against primary and secondary assets

Threat Modelling - High Level

@haydnjohnson

Threat Modelling - Business Asset Analysis

Identify assets that are most likely to be targetedOrganisational Data - how the organization does businessTrade secretsInfrastructure design

**Can feed other areas - intel?

@haydnjohnson

Threat Modelling - Business Process Analysis

How the company makes money Value chains - assets and processes

@haydnjohnson

Threat Modelling - Threat Agents / Community Analysis

Relevant threats - internal & external

Internal employees motivated by outsiders??

@haydnjohnson

Threat Modelling - Threat Capability analysis

What skills do they haveHow manyTechnical & Opportunity analysis

Exploits / Payloads

@haydnjohnson

@haydnjohnson

Threat Modelling - Motivation

$$$$ Bored Activism

@haydnjohnson

Threat Modeling - Key Points

Enables the tester to focus on delivering an engagement that closely emulates the tools, techniques, capabilities, accessibility and general profile of the attacker….

Tools | Techniques | Capabilities | Access

@haydnjohnson

Threat Modelling - Example

Tofsee MalwareJavascript DownloaderPE32 executable into the %USERPROFILE% directory.SpamDelivered via RIG Exploit Kit

http://blog.talosintel.com/2016/09/tofsee-spam.htmlhttps://www.recordedfuture.com/threat-actor-types/

@haydnjohnson

Threat modeling VA comparison

Internal or External

Vulnerability Analysis

Discovering Flaws /TestingLeveraged by attackers

Host & service

Insecure design

RelevantCorrect level of depth

Expectations

Goals

PassiveHow it makes money

Meta Data Analysis

ActiveDirect Interaction

AutomatedManual

ResearchConstantly changing

Increase decrease

ValidationProbability of success

Technical and opportunity

@haydnjohnson

Vulnerability Analysis - can include

Services | BannersMultiple exit nodesIDS evasion

Need to get to the target

@haydnjohnson

Vulnerability Analysis - Example

@haydnjohnson

Vulnerability Analysis VA comparison

Primarily focused on KNOWN vulnerabilities.Network / Business Logic Not assessed.

Whitelisted | Trusted

No Evasion Needed

Exploitation

CountermeasuresEncoding

Process Injection

DEP | ASLR

EvasionPrevent detection

Physical

Network

Precision StrikeNot hail mary

Based on previous steps

Tailored ExploitsCustomize known exploit

Zero Day AngleLast resort

Fuzzing

Code Analysis

@haydnjohnson

Exploitation - Objective

Least path of resistanceUndetectedMost impactCircumventing security controls

@haydnjohnson

EASY ROAD

@haydnjohnson

Hard Road

@haydnjohnson

Biggest Impact

@haydnjohnson

Exploitation - Countermeasures

Anti-virus needs to be evadedEncoding data to hide what is being doneHiding information through process injectionMemory protection such as DEP and ASLR

@haydnjohnson

Exploitation - Precision

Previous steps usedBest vulnerabilities analyzed for exploitationMinimal disruptionsMethod to the madness

@haydnjohnson

Exploitation - Zero Days

FuzzingBuffer OverFlowsSEH OverwritesRet2Libc

@haydnjohnson

Exploitation - IS NOT THE DIFFERENCE BETWEEN A VA & PT

Exploitation can be used in a VA or a PT.

Clients may want a high risk vulnerability proven.

Exploitation is highly used in a Penetration Test - but not the definition

https://danielmiessler.com/study/vulnerability-assessment-penetration-test/

@haydnjohnson

Exploitation - Vulnerability Assessment

Validate a Vulnerability

REMOTE CODE EXECUTION A

@haydnjohnson

Exploitation - Penetration Test

Part of the JobNetworkWebCredentials

@haydnjohnson

Exploitation - Example

https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jboss

@haydnjohnson

Exploitation - VA comparison

SpecificLimitedProofNo post exploitation

Post Exploitation

Rules of engagementProtecting Client

Protecting yourself

Infrastructure AnalysisRouting

Network Services

Neighbors

PillagingInstalled Programs | services

File/Printer Shares

Host configuration

Monitoring

Deep in targetIdentification of impact

Affect 1 system

Affect infrastructure

Persistence & PivotingBackdoors

Lateral Movement

Data ExfiltrationTesting

Measure controls and detection

@haydnjohnson

Post Exploitation - think like the attacker

What is in the networkWhere is the Data - customer - financial - health - Credit CardWhere is the domain admin

@haydnjohnson

Post Exploitation - think like the attacker

BackdoorsPersistenceData Exfiltration

@haydnjohnson

Post Exploitation VA comparison

Exploitation proves the vulnerability can be exploited

This does not show the business impact.

Not “how deep, real impact”

@haydnjohnson

Post Exploitation - Example

http://www.slideshare.net/HaydnJohnson/power-sploit-persistence-walkthrough

Reporting

Exec SummaryGoals of Pentest

High Level Findings

Background

Overall posture

C-Level | management

Systemic issues

Technical ReportIntroduction

Information Gathering

Vulnerability Assessment

Exploitation / Vuln Confirmation

Post Exploitation

Risk Exposure

Conclusion

@haydnjohnson

Reporting - Exec Summary

High level Background Key pointsKey impact and ratingsRecommendationsStrategic Road map

Similar to VA - But shows real impact not just Vulns

@haydnjohnson

Reporting - Technical Report

Deep Explanation of each stageStep by step of process / exploitationStep by step of Post exploitation

Similar to VA - But shows much more than a list of vulns

@haydnjohnson

Reporting - Vulnerability Analysis

Exec Summary

List of VULNERABILITIES

Ratings & Prioritization

Attack COULD exploit

@haydnjohnson

Reporting - Example

https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

@haydnjohnson

In Summary - VA

@haydnjohnson

In Summary - Exploitation

@haydnjohnson

In Summary - Penetration test

@haydnjohnson

Thank you!

Questions?Debate?

@haydnjohnson

Further Reading

Pentesting in detailhttp://www.isaca.org/chapters3/Atlanta/AboutOurChapter/Documents/GW2015/081115-10AM-Pentesting.pdf

PTES and high Standardshttp://www.iamit.org/blog/2016/09/ptes-remaining-impartial-and-insisting-on-high-standards/

Post Exploitation Blogs with Empire:https://www.powershellempire.com/?page_id=561