Embed Size (px)
Citation preview
Vulnerability Assessment and Penetration Testing
Presenters:
Bruce Upton CISSP, CISA, C|EH
Jerry McClurg CISSP, CISA, C|EH
Agenda and Overview:
Vulnerability Scanning and Identification:
• What is a vulnerability assessment? • Internal versus external scanning an testing • How are vulnerability tests different from penetration tests? • Vulnerability scanning tools and reporting • Additional considerations:
• Understanding vulnerability assessments and penetration tests are only valid for a short period of time
• Continuous monitoring • Management oversight
What’s the Difference?:
Vulnerability Identification versus Penetration Testing: • Vulnerability Assessment: Generally, a vulnerability assessment is an
automated scan of network resources resulting in a detailed report of security vulnerabilities.
• Penetration Test: Penetration testing incorporates vulnerability scanning and identification, but additional effort is applied in an attempt to exploit identified vulnerabilities.
• Vulnerability assessments and penetration tests are both good security due-diligence.
What’s the Difference?:
Vulnerability Identification versus Penetration Testing: • A vulnerability assessment may identify the following security weaknesses:
• Users have local administrator rights on their Windows 7 computers. • Users can access most websites on the Internet. • Users have the authority to run programs from within Internet Explorer.
• A penetration test would identify the security weaknesses, but go quite a bit further:
• Users have local administrator rights on their Windows 7 computers. • Users can access most websites on the Internet. • Users have the authority to run programs from within Internet Explorer. • A user was convinced to visit a phishing website • The user ran a “connection test” application • Symantec Antivirus did not detect the “connection test” application • Unauthorized remote access was obtained into the network.
Internal versus External:
Generally speaking, there are two types of assessments: • Internal Assessment: The vulnerability scan or penetration test is
performed from inside the organization. The engineer(s) either physically visit the organization or gain secure remote access. The test simulates an attack from the inside-out. This overall approach will:
• Identify internal devices (enumeration) • Identify services and footprint internal devices • Identify internal security weaknesses in the following, at a minimum, categories:
• Patch management, network segregation, network access controls, data security, intrusion detection systems (IDS) testing, SCADA (if in scope), key management and crypto security (if in scope);
• Password practices and overall PC, server, and network device security due-diligence, etc.
Internal versus External:
Generally speaking, there are two types of assessments: • External Assessment: The vulnerability scan or penetration test is
performed from outside the organization. The engineer(s) test the organizations infrastructure using an outside-in approach. This overall approach will:
• Identify external devices (enumeration) • Identify services and foot print external devices • Identify external security weaknesses in the following, at a minimum, categories:
• Firewall security, remote access portals, database management system (DBMS) security, web application security, intrusion detection systems (IDS) and intrusion prevention services (IPS) testing.
Testing Quality:
Testing quality and effectiveness: • The overall effectiveness of your assessment is generally based on three
main factors: • The effectiveness and thoroughness of the scanning toolset(s) • The overall quality and talent of the internal and/or external security firm or
personnel • Certifications, experience, etc.
• How effectively the security firm and internal departments work together • Free flow of information between the firm and key departments is central to the success of
an assessment
Toolsets:
Vulnerability scanning toolsets: • The effectiveness and thoroughness of a vulnerability assessment is heavily based on
toolsets. Some effective toolsets include: • Qualys
• Internal and external vulnerability scanning • Low false-positive rates • Pay per IP model
• Rapid7 • Internal and external vulnerability scanning • Low false-positive rates • Pay per IP model
• Nessus • Internal and external vulnerability scanning • Effective pricing model • In our experience, Nessus tends to have a higher false-positive rate
• Nexpose • Internal and external vulnerability scanning • Community edition available • Low false-positive rates
Toolsets:
Vulnerability scanning toolsets: • Qualys
• Enterprise scanning tool with a number of compliance modules
Toolsets:
Vulnerability scanning toolsets: • Qualys
• Reporting, remediation tracking and a large knowledgebase:
Toolsets:
Vulnerability scanning toolsets: • Qualys
• Advantages: • Low false-positive rates • Detailed reporting • Remediation tracking • Most vulnerabilities identified will have resolution strategies
• Disadvantages • All scan data is stored in the cloud at Qualys • Pay-per-IP model makes scanning large IP blocks very expensive
Toolsets:
Vulnerability scanning toolsets: • Nexpose
• Enterprise-class with a low false-positive rate, strong reporting and numerous compliance templates
Toolsets:
Vulnerability scanning toolsets: • Nexpose
• Extensive compliance and simulation testing:
Toolsets:
Vulnerability scanning toolsets: • Nexpose
• Advantages: • Low false-positive rates • Detailed reporting • Many compliance and simulation scan templates • Most vulnerabilities identified will have resolution strategies • It’s not a pay-per-IP scanning solution, potentially making it a good fit for internal scanning
and testing • Disadvantages
• Like most vulnerability scanners it generates a lot of network traffic. It could cause network latency or denial-of-service if it’s not configured properly.
• Resource intensive • It’s pricy at about $10,000 to $15,000 depending on the scope and services needed
Tool Availability:
Overall, We’re seeing two concerning trends today: • The availability of hacking tools is unprecedented. Free tools to:
• Exploit websites • Identify vulnerabilities • Perform data mining • Hacking wireless networks, etc.
• Tools available to hide your tracks and/or become virtually invisible are at an all time high. Examples include:
• VPN solutions that don’t keep long-term logs • ProXPN - pro
• TOR • Tor is free software and an open network that helps you defend against traffic analysis, a form of
network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security – torproject.org
• The world has learned just how effective TOR is: the Snowden leaks demonstrated the NSA has not broken TOR (only circumvented it)
Why are we concerned?
The following attack was performed using publicly-available software and our origin was successfully masked: • First step, go dark (anonymous) to obscure where your Internet
traffic is originating from. In our case, it looks like we’re coming from Germany:
Why are we concerned?
The following attack was performed using publicly-available software and our origin was successfully masked: • An outside-in approach was used and it starting with Google
hacking:
• The hacker identifies a target (neither of these websites were used in our demonstration):
Why are we concerned?
The following attack was performed using publically-available software and our origin was successfully masked: • An escape string is used to look for an SQL-injection vulnerability:
• Inserting the string generated an error:
Why are we concerned?
The error message tells us it’s likely vulnerable to an SQL-injection attack… • Further testing reveals it is, and the following information is
initially obtained via SQL-injection strings:
Why are we concerned?
SQL-injection commands are further used to extract information: • Database table names are obtained using an SQL-injection string:
• Count(table_name) of information_schema.tables where table_schema=0x67656D656469615F7073 is 27
• Note the “users” table
Why are we concerned?
SQL-injection commands are further used to extract information: • Table field names are extracted from the “users” table:
• Count(column_name) of information_schema.columns where table_schema=0x67656D656469615F7073 and table_name=0x7573657273 is 13
Why are we concerned?
SQL-injection commands are further used to extract information: • Username and password field data are extracted from the
“users” table: • Count(*) of XXXXXXXX_ps.users is 4
Why are we concerned?
Data extraction: • Testing revealed the passwords are encrypted
• How are they encrypted? • How do we find out? • Is there a way to decrypt them?
Why are we concerned?
Password decryption: • There are a number of off-line tools such as Hashcat and
L0phtCrack that can be used to launch brute-force or dictionary attacks.
• A number of websites specialize in dictionary lookups • Cloudcracker.com • Crackstation.net • md5decrypter.co.uk
Why are we concerned?
Password decryption: • We were able to successfully identify how the passwords were
encrypted, and we were able to decrypt two of three:
Why are we concerned?
Malicious intent: • We stopped testing at this point, but unfortunately, most
blackhat hackers would not. • Web anonymity is a great way to encourage Internet privacy.
However, the tools to protect our Internet privacy are being used maliciously by hackers to cover their tracks.
Additional Considerations
Vulnerability and penetration testing frequency: • Vulnerability assessments and penetration tests are only valid for a
short period of time • For example, the second Tuesday of every month is known as
“Patch Tuesday”. The following Wednesday is known as “Exploit Wednesday”.
• To address these security gaps-in-time, continuous monitoring systems can be implemented:
• Bit9 Parity • Tripwire • FireMon
Additional Considerations
Assess and Identify All Ports, Programs, and Services : • The programs we have discussed should identify all active
ports/services • What About Software Programs or Inactive Processes?
• Tools that Identify All Installed Software • Microsoft Assessment and Planning (MAP) Toolkit • Emco Network Software Scanner
• Try to use at least two programs to check against each other
Additional Considerations
Additional Considerations
Assessment Plan: • Start from the External View
• View Information from a Hacker Viewpoint • Domain and DNS Registration • Gateway Routers, IDS, Firewalls • Email and DMZ Devices
• Internal Network • Internal/Rogue User Access • Vendor/Visitor Access • Remote Access
Additional Considerations
Document and Track Open Issues: • Easy to Lose Track Without Tracking and Follow-up • Schedule Regular Progress Updates and Report to Management
Summary and Take-Aways:
• Document and Follow an Assessment Plan • Maintain Multiple Software Toolsets • Stay Engaged—Technology Security is a Moving Target
Questions?
