-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
1/25
Penetration Test Example
Errors in the process and avoiding
them
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
2/25
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
3/25
Overview What is penetration testing
Penetration testing vs VulnerabilityAssessment
Pen-Test process and Constraints
Pen-Test Simulation
Demo
Results Conclusions
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
4/25
>/dev/null
This presentation shows how to penetrate a
production system
This presentation proves that no one can
attack us with any success This presentation proves that pen-tests are
useless
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
5/25
>/dev/null
Never underestimate the
power of ****** people inlarge numbers
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
6/25
What is Penetration Testing? A penetration test is a method of evaluating the security of a computer
system or network by simulating an attack from a malicious source, known
as a Black Hat Hacker, or Cracker. Wikipedia
WHY iS THIS GUY TALKING ABOUT A PENETRATION TEST IN 2010
More and more organizations plan or organize a pen-test
They expect relevant results
Once they choose a pen-test team, they grant them nearly infinite trust
A pen test needs to be prepared and execute with outmost excellence
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
7/25
Penetration Testing vs
Vulnerability Assessment? Vulnerability Assessment:
Typically is general in scope and includes a large assessment.
Predictable. ( I know when those Security guys scan us.)
Unreliable at times and high rate of false positives. (Ive got a banner)
Vulnerability assessment invites debate among System Admins.
Produces a report with mitigation guidelines and action items.
Penetration Testing:
Focused in scope and may include targeted attempts to exploit specific vectors (Both IT
and Physical)
Unpredictable by the recipient. (Dont know the how? and when?)
Highly accurate and reliable. (Ive got root!)
Penetration Testing = Proof of Concept against vulnerabilities.
Produces a binary result: Either the team owned you, or they didn't.
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
8/25
The process of Pen-testLooks simple enough
Reconnaissance - passive information gathering, collect information that is
available in publicly accessible locations Scanning and Enumeration - moving from passive to active information gathering.
Scanning is attempting to connect to systems and gather more in-depthinformation about the targets
Gaining Access using identified vulnerabilities to gain access to system. So far,the attacker has only looked at your house, and knocked on you door. Now he
kicks it in. Escalation of privilege - just having the access of an average user doesnt get you
far. The attacker will attempt to escalate him/herself to administrator or rootprivilege
Maintaining Access - Once in, the attacker wants to stay in. Obtaining password
files, or placing rootkits or backdoors is the usual method Covering tracks Once the cat is out of the bag, a lot of people will start looking
for the attacker. And the less evidence he left, the smaller the chance of him beingdiscovered. This will include deleting Logs, tampering with accounts, evencompromising a file system.
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
9/25
Pen-Test Constraints Scope what is the scope of the pen-test attack one
network, one type of service
Targets the number and type of targets is usuallyunknown to the pen-testers (black box/gray box)
Activity logging all activities need to be logged, with
relevant time stamp. All observations need to bedocumented.
Findings each penetrated host should be analyzed forinstalled applications, services, accounts etc.
Time Limit total pen-test time is always limited. Allactivities need to be performed in the time constraintsagreed with the target
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
10/25
Simulation objectives Perform a comprehensive penetration test - Penetrate as
many targets as possible
Information about environment none available blackbox attack
Extenuating configuration the attacker is already on thesame LAN as the targets
Vectors of attack use any vector available on the targets
Tools use any available tools at disposal
Final criteria of success obtain document stored on a host
behind a multihomed host Time limit 8 hours for the total pen-test
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
11/25
Simulation Environment
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
12/25
The Pen-Testing teams 5 independent pen-tester teams various
level of knowledge and experience comingfrom:
Industry
Finance
Law enforcement
Public sector
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
13/25
Pen-Test Tools Attack tools readily available
Backtrack 4
Nessus
Core Impact Education License
Additional tools
OWASP Live CD
Samurai
OpenVAS
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
14/25
Pen-Test Approach
Team 3,4 and 5 focusing on automated
tools. Documenting partially in standard
format
Team 5 going very slow and systematic.
Documenting in standard format
Team2 choosing additional tools.
Documenting in non-standard format
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
15/25
Start + 1hTeam Activity Result
Team 1 focuses on documenting the scanned results,
no attack so far
/
Team 2 attacks soft targets one by one and performs
detailed scans on them
Target 1
compromised
Team 3 uses automated tools to attack soft targets Target 1
compromised
Team 4 uses automated tools to attack soft targets /
Team 5 uses automated tools to attack soft targets /
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
16/25
Start + 3hTeam Activity Result
Team 1 attacks all targets simultaneously with
automated tools
/
Team 2 attacks soft targets one by one and performs
detailed scans on them
Target 1 and
Target 2
compromised
Team 3 uses automated tools to attack soft targets Target 1compromised
Team 4 uses automated tools to attack soft targets Target 1
compromised
Team 5 uses automated tools to attack soft targets Target 1compromised
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
17/25
Start + 6hTeam Activity Result
Team 1 attacks remaining targets simultaneously
with automated tools. No attempt at webservices
Target 1 and 2
penetrated,
Team 2 Connects to target 3 to scan target 5 Target 1, 2 and 3
penetrated
Team 3 uses automated tools to attack target 3. Inparallel, attacks target 3 via Web portal
vulnerabilities
Target 1, 2penetrated
Team 4 uses automated tools to attack target 3 Target 1 and 2
penetratedTeam 5 uses automated tools to attack target 3 Target 1 and 2
penetrated
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
18/25
End - Start + 8hTeam Activity ResultTeam 1 Abandoned all hope Target 1 and 2
penetrated,
abandoned allfurther attempts
Team 2 Continued to attack the linux host with
automated scripts, completely ignoring the
additional information from scanning
Target 1, 2, 3 and
5 penetrated
Trophy discovered
Team 3 Penetrated in the hidden network host Target 1, 2, 3 and
5 penetrated
Team 4 Dabbling at target 3 with Web portal
vulnerabilities
Target 1 and 2
penetrated
Team 5 Dabbling at target 3 with Web portal
vulnerabilities
Target 1 and 2
penetrated
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
19/25
Process Demos
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
20/25
>/dev/null
Never underestimate the
power of ****** people inlarge numbers
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
21/25
Results Everyone went after the soft targets first, and wasted most
of the time on them
Most teams used extremely noisy scans No team followed the process through the entire time
frame
1 Team wasted time trying new tools which provedinferior to the default toolset
No team produced meaningful documentation andevidence of its activities
Most teams focused on automated tools and ignored othervulnerabilities
If this was a real pen-test, all teams would be sued formalpractice
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
22/25
Conclusions for aspiring pen-testers Pen-test training does not make you a pen-tester
Know your weapons a pen-test is not a good time to try out new
tools. Understand each of your tools, abilities and limitations Organize your time A lot of things need to be performed in a
limited time frame. Plan ahead, based on the initial conclusions.
Have a fallback plan if things get too complicated at one step,
have a plan B, and a plan C. Do not rely only on automatics - Output of the automated tools
can confuse you. Think about the results, and verify them beforeproceeding
Document everything - Use screen recording tool if needed
Second opinion have a second team member sifting through theresults of scans, to properly identify exploitable vulnerabilities
Get a lot of practice before going commercial
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
23/25
Conclusions for organizations
Require references (as much as it is
Require a very detailed plan execution plan
Require a sample report of their labenvironment
Interview the pen-test teams (at least the
lead person)
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
24/25
To start off the discussion Was this a simulation or a real catastrophic pen-
test This simulation was part of a comprehensive
security training. Which goes to show that
training will not make you a pen-tester
Where can we get the tools? Google is your friend
-
8/6/2019 INFOSEK2010 Presentation Penetration Test Example
25/25
Thank you
Bozidar [email protected]
http://www.shortinfosec.net