security testing for blue teamers
TRANSCRIPT
Security Testing for Blue Teamers…Ben Finke
June 2015
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Thanks for coming!
• Ben Finke
• Security Guy at Enterprise Integration
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Network Defender
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Red Team
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
DisclaimerMake absolutely CERTAIN you have written permission from the system owner/service provider before undertaking ANY testing activities.
Laws vary from state to state and country to country. When in doubt I consult my attorney, I suggest you do the same.
In short: Don’t call me to bail you out! J
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Security Testing for Blue Teamers
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
What this presentation is…• A guide on effective testing that makes your defenses better
• A security program that gives you information to make decisions
• A how-to on ensuring your defenses are doing what you think they are
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
What this is not…• How to hack your boss’s facebook account
• Step-by-step on building a botnet
• A one-size fits all process
• A shortcut
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Why bother?Do you know what is on your network?
Any idea what you have facing the Internet?
Does that fancy firewall thing actually block bad stuff?
Can you tell if someone is attacking you?
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Why bother? This. We can do better.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Veri
zon
Dat
a Br
each
Inve
stig
atio
n re
port
–20
15 -
http
://w
ww
.ver
izon
ente
rpri
se.co
m/D
BIR/
2015
/
Yeah But…Testing is so expensive!
We don’t have the budget
We don’t have the training
We don’t have the tools
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Nonsense.It does take some time and some learning, but you can do most of the testing you’ll need, and be amazed what you discover along the way.
You don’t need to spend a fortune either. You got this.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
First Problem – Learn the Terrain• Let’s map out EVERYTHING on your network
• Let’s find out what is connected and what services it’s running
• We need something that scales well, gives you some flexibility, and doesn’t cost a fortune….
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Nmap
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
nmap – Network Mapper• Get it directly* from the nmap site: https://nmap.org/• Open source• Cross Platform• Does way more than you think…..• And we know its fantastic because…..
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
*What happened to you SourceForge?? L
…Hackers use it in movieshttps://nmap.org/movies/
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Digging into nmap• Command line
• GUI – Zenmap
• Multiple output formats
• Can be easily incorporated into scripts and called from other applications
• GREAT documentation and community support
• Examples:
• nmap –A 172.20.10.0/24 –oA
• Demo Time!!
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Scanning Protips…• If you scan something on the other side of the firewall, its going to be, well, wrong.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Scanning Protips…Know how the common scan options work…• -sT – Make a TCP connection (SYN – SYN/ACK – ACK)
• -sU – Try to make a UDP service respond (I’d tell you a UDP joke, but you might not get it).
• -sS – TCP SYN scan –(SYN – SYN/ACK) – sometimes called a “stealth” scan
• -sV – TCP scan and try to get the version
• -Pn – treat all hosts as online, skip discovery
• -O – enable OS detection
• Host discovery – ICMP Ping, Reverse DNS, TCP 80 and TCP 443
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Scanning Protips…Choose a good scanning location• Home and SMB routers often have a small state table, you may overrun that with
connections and produce false results in the scan
• Wireless connections can also cause timing and other congestion errors that effect your scan
• If scanning over a VPN…. Try not to scan over a VPN
• If you have a sensitive host in a range, use –exclude
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Zenmap!
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Plenty of good open source projects to help your custom implementation.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Use your existing tools to visualize!
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
But wait, there’s more!• ndiff – compare two nmap scans and show the
differences.
• Easily store output in code repository for easily historical reference and change tracking
• NSE – Nmap Scripting Engine
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Let’s Get to WorkDo some scans of your network and view the results. Tune the scan options to meet the need.
Found a lot of stuff you had no idea about, right? Good!
Automate that process through whatever means are comfortable – you want the information, not more to do.
Run daily and review changes. Discuss with responsible parties when things change unexpectedly.
Some people might complain that you are hassling them, but I say…
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Deal with it….
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Your Arsenal1. Nmap - free
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Total Cost - $0
Security Testing ChecklistüNetwork InventoryüNew Host/Change Detection
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Vulnerability ManagementVulnerability – a well known software flaw or misconfiguration that enables an unauthorized person to change the state of an information system.
Put like a regular person – a missing patch or (likely default) setting that means an attacker can ruin your day.
Vulnerability Management is NOT just a vulnerability scanner. While that can help, vulnerability management is about knowing where you have whatso that when a vulnerability is announced you can gauge the risk and plan accordingly.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Vulnerability ScannersA number of good ones exist. You might even own some of these today.
The Biggest mistake I see is that people don’t:
1. Tune the scanning policies
2. Cover the ENTIRE network
3. Do anything useful with the output
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Getting your VM on….• Consult your vuln scanner vendor for how to on this.
• You likely have the ability to run “credentialed” scanning. Do this!
• Build a process to manage these vulns you’re going to be digging up
• Protip: Assign an “Application Owner” to every piece of inventory on the network, and send out reports broken down by the responsible “owner” in the infamous and oft-imitated stoplight chart
• Also known as “Weaponized Excel”
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
How does a Vuln Scanner work?1. Non-Credentialed Scanning
Following the selected scanning policy, performs discovery of available services across the range of configured targets, begins service detection.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Vuln Scanner Web Server
Hey, is TCP Port 80 Open? (SYN)
It sure is! (SYN/ACK)
Great! (ACK)
So, is this HTTP? (GET / HTTP/1.1)
For sure! (HTTP 200 OK – Server: IIS/7.5)
Check vuln DB for “IIS/7.5” vulnsVulnDB
Service DetectionThat HTTP header will drive a huge amount of the related findings that most vulnerability scanners will report.
Either no test exists for over-the-network testing, or the test is potentially dangerous.
Other tests like TLS* cipher testing are actively tested for and observed directly.
When False Positives occur, service detection is often why. Credentialed scanning can remove lots of these false positives.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
* All your SSL stuff is turned off, right? Right. Good.
Automate this too!• Schedule a scan in your vuln scanner and put the scan file someplace.
• This Powershell code let’s you slice and dice the results. Thanks to Carlos Perez (@darkoperator):
[xml]$report = Get-Content –Raw .\scan.nessus
$report_hosts = $report.NessusClientData_v2.Report.ReportHost
$report_hosts | foreach {$_.ReportItem} | where {$_.severity -ne 0} | ConvertTo-HTML > nessus-report.html
You can even set conditions on which item goes in the report, so you can run a couple of these and email them to whoever needs them….
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Your Arsenal1. Nmap – free
2. Vuln Scanner - $2K/year
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Total Cost - $2000
Security Testing ChecklistüNetwork InventoryüNew Host/Change DetectionüVulnerability Management
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
What would an attacker know?One of the most common goals of a 3rd party security assessment is “Find out what an attacker out on the Internet would find.”
I have some great news for you….. You can do this yourself, probably a lot easier than you think!
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
A small sampling of free and inexpensive tools at your disposal!
Advanced Google Hacking Searching
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
http://www.businessinsider.my/how-to-be-a-google-power-searcher-2014-7/
Shodan HQ• Google search for what’s on the Internet…
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Maltego – Building a Case…
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Your Arsenal1. Nmap – free
2. Vuln Scanner - $2K/year
3. Open Source Intel - Free
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Total Cost - $2000
Security Testing ChecklistüNetwork InventoryüNew Host/Change DetectionüVulnerability ManagementüKnow Your Attack Surface
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Test your DefensesYou recently invested in the industry leading Ultra Premium Anti-APT Cyber Sentinel v1000 system. Hooray!
Does it actually work? I mean, the way its supposed to? Are you sure?
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
If it detects intrusions, you should intrude!
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
You should send actual attack traffic through the device to see if1. It blocks, slows, or at least marginally disrupts it.2. It tells you about it.3. You can reconstruct what happened from the Blue team side.
Fortunately, you don’t need to write your own exploit code, we’ll just use Metasploit!
Mac Attack!
Metasploit – An IntroMetasploit is a framework that makes security testing easier.
It covers:
• Mapping and Recon
• Exploitation
• Post Exploitation
• Exfiltration
But even if you just want to see if an IPS actually P’s something, it works great for that too!
Lots and lots of great community support and tutorials available online.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Your Arsenal1. Nmap – free
2. Vuln Scanner - $2K/year
3. Open Source Intel – Free
4. Metasploit- Free
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Total Cost - $2000
Security Testing ChecklistüNetwork InventoryüNew Host/Change DetectionüVulnerability ManagementüKnow Your Attack SurfaceüHack Thyself
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
“Sure” you’re saying…“Now I get to spend hours and hours installing this stuff on my system and trying to keep it all running. How much time am I going to waste just getting this stuff in place?”.
Almost none at all. In fact, it’s a really good practice to keep your testing kit separate from the system you surf the web and check your email on.
We need a way to get to all of this tools quickly. It would be a nice benefit if our testing system was easily portable, ran on whatever we had lying around to use, and was easy to keep up to date.
Which leads us right to….
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Kali Linux
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Kali Linux• Purpose built Linux distribution for security testing
• Hundreds of tools built in and working
• Available as (https://www.kali.org/)� ISO Image� Virtual Machine image� Docker Image(!)� Raspberry Pi Image(!!)
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Raspberry Pi – Just like Mom used to make
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
VirtualBox• Cross Platform (Windows, Mac, *NIX)
• FREE (as in beer)
• Run guest VMs on your laptop!
• Boot2Docker
I know what you are thinking….
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Isn’t Oracle the Evil Empire?
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Maybe, but absolutely not for this. Thanks Oracle (and Sun) for VirtualBox!
Your Arsenal – Kali Edition1. Nmap
2. Vuln Scanner
3. Open Source Intel
4. Metasploit Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Ready to Go!
Your Arsenal1. Nmap – free
2. Vuln Scanner - $2K/year
3. Open Source Intel – Free
4. Metasploit- Free
5. Flexible Testing Platform - Free Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Total Cost - $2000
Security Testing ChecklistüNetwork InventoryüNew Host/Change DetectionüVulnerability ManagementüKnow Your Attack SurfaceüHack ThyselfüFlexible Testing Platform Bi
g D
ata
in In
foSe
c -Be
n Fi
nke
-@be
nfin
ke
Blue Team Nirvana• A complete and accurate network inventory
• Know your exposure to vulnerabilities
• Know what the Internet knows about your network
• Verify your defenses and alarms work as designed.
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Bonus Round! Fresh Phish!• Phishing Frenzy – open source project
• http://www.phishingfrenzy.com/
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Complete Phishing Platform1. Develop the scams templates
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Complete Phishing Platform1. Develop the scams templates
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Complete Phishing Platform2. Send out the phishes!
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Complete Phishing Platform3. Track the results
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Happy Hunting!
Any questions?
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke
Ben Finke
@benfinke
[email protected] [email protected]
https://www.linkedin.com/pub/ben-finke/3/95a/8a1
blog.eiblackops.comblog.benfinke.com Be
n Fi
nke
-Sec
urin
g th
e Cau
se-@
benf
inke
Great Resources
• The nmap book - http://nmap.org/book/
• Metasploit Unleashed - https://www.offensive-security.com/metasploit-unleashed/
• How To Videos on SecurityTube - http://www.securitytube.net/
• Community Discussion - http://www.reddit.com/r/AskNetsec
• Netsec Students - http://www.reddit.com/r/netsecstudents
Big
Dat
a in
Info
Sec -
Ben
Fink
e -@
benf
inke