Penetration testing dont just leave it to chance

  • Published on
    06-Apr-2017

  • View
    775

  • Download
    0

Transcript

Next Generation Testing Leadership Asia-Pac Summit 2015Name of the Speakers : Anish Cheriyan, Director Quality and Centre of Excellence-Cyber SecuritySriharsha Narayanam , Test Architect and Cyber Security Test Engineering -COE TeamCompany Name : Huawei Technologies India Private LimitedTopicsIntroductionPrinciples of Security for Secure Products Security in Product Development Life CyclePenetration Testing Approach Details of Pen TestCyber Security- a mindset and some anti patternsConclusionhttp://einstueckvomglueck.com/wp-content/uploads/2010/11/philiplumbang.jpghttp://thevarguy.com/site-files/thevarguy.com/files/archive/thevarguy.com/wp-content/uploads/2008/12/canonical-unison-attack-microsoft-exchange.jpgJust Attack Testinghttp://thevarguy.com/site-files/thevarguy.com/files/archive/thevarguy.com/wp-content/uploads/2008/12/canonical-unison-attack-microsoft-exchange.jpghttp://7428.net/wp-content/uploads/2013/05/Color-Feather.jpgFeather Touch Testing http://http://blog.courtmetrange.eu/?attachment_id=1487Time Bound Testing http://www.zazzle.com/innocent+until+proven+guilty+giftsBuild Security In-Some perspectiveThe Principles- Secure software designFavor simplicityUse fail safe defaultsDo not expect expert usersTrust with reluctanceEmploy a small trusted computing baseGrant the least privilege possiblePromote privacyCompartmentalizeDefend in DepthUse Community resource-no security by obscurityMonitor and traceReference: Reference: Software Security by Michael Hicks, CourseraFavor SimplicityReference: Reference: Software Security by Michael Hicks, CourseraFavor Simplicity: Fail Safe DefaultsFavor Simplicity: Do not expect expert usersTrust with Reluctance(TwR)Trust with Reluctance(TwR)- Trusted Computing BaseTrust with Reluctance(TwR)- Least PrivilegeTrust with Reluctance(TwR)- Compartmentalization Defend in Depthwww.unicomlearning.com/ethicalhackingDefend in Depth-Use Community ResourcesMonitoring and TraceabilityTop 10 Flaws. Do Not..Building Security in Product Development Life CycleGeneral Security Requirement Analysis Attack Surface Analysis Threat Modeling -STRIDE(Microsoft)Testability AnalysisSecure Architecture and Design.Security Design guidelinesSecurity Test Strategy and Test CaseSecure Coding Guidelines (cert.org-good reference)Static Check Tools like Fortify, Coverity (Ref- owasp.org)Code ReviewsSecurity Test CasesPenetration Testing Approach (Reconnaissance, Scanning, Attack, Managing access)Anti VirusContinuous Delivery System (Inspection and Secure Test) Threat ModelingReference: https://msdn.microsoft.comIdentify assets. Identify the valuable assets that your systems must protect. Create an architecture overview. Use simple diagrams and tables to document the architecture of your application, including subsystems, trust boundaries, and data flow. Decompose the application. Decompose the architecture of your application, including the underlying network and host infrastructure design, to create a security profile for the application. Identify the threats. Keeping the goals of an attacker in mind, and with knowledge of the architecture and potential vulnerabilities of your application, identify the threats that could affect the application. Document the threats. Document each threat using a common threat template that defines a core set of attributes to capture for each threat. Rate the threats. Rate the threats to prioritize and address the most significant threats first. Threat Modeling Diagram- a simple exampleReference: https://msdn.microsoft.comThreat Modeling Diagram- a simple exampleReference: https://msdn.microsoft.comThreat Modeling Diagram- a simple exampleReference: https://msdn.microsoft.comSecure Architecture and Design PerspectiveReference: https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet#DRAFT_CHEAT_SHEET_-_WORK_IN_PROGRESSwww.unicomlearning.com/IT_Security_and_Ethical_HackingSecure Code PerspectiveReference: https://owasp.orgwww.unicomlearning.com/IT_Security_and_Ethical_HackingSecure Code Perspective-Code ReviewFurther Reading: Threat Modeling- Frank Swiderski, Window Snyder, A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World - http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltextWhile doing the code review we can take the inputs from the code in the trust boundary, issues from the static tools like Fortiy, Coverity etc and put the focus at the right place for the Code ReviewSecure Testing (Pen Test) PerspectiveInformation Gathering (About the system, environment etc.)Scan the systemThreat AnalysisUsage of the Static analyzer (Run fortify, Coverity, Appscan, Nessus, NMAP etc)Right tool usageVulnerability AnalysisFuzz TestingPenetration testingUse /Develop right set of tools to attackRaise DefectsTest StrategyValidation Approach of ABCPicture Courtesy: http://sd.keepcalm-o-matic.co.uk/i/assume-nothing-believe-nobody-and-check-everything--1.pngSecurity Test Strategy - InputsSecurity Test Strategy - What to Cover ?32Penetration Testing Analysis overall flowOutputPenetration Test ScenariosPenetration Test CasesDefectsDamage potential AssessmentNew Test CasesReconnaissance is a the first and the key phase of penetration testing where the information is gathered. The more time you spend collecting information on your target, the more likely you are to be successful in the later phases. There can be a checklist based approach for information gathering but it need not be constrained to the list. Information Gathering helps teams to think about the product properties upfront.So OnReconnaissance / Information GatheringCategorySuggestive Informations to be gathered / verifiedActual InformationGeneral InformationList of IP addresses that can be scannedTarget OS and File permission informationInformation about the LOG FILE and their pathsInformation about the DATA FILE Location, and their formatStorage mechanism of the USERNAME/PASSWORD of the applicationReconnaissance / Information GatheringFew Tools for WebApplication ReconnaissanceWappalyzerPassive ReconGround Speed [http://www.slideshare.net/groundspeed/groundspeed-presentation-at-the-owasp-nynj]SoftwareURLDescriptionMaltegohttp://www.paterva.com/web5The defacto standard for mining data on individuals and companies. Comes in a free community version and paid version.Nessushttp://tenable.com/products/nessusA vulnerabilty scanning tool available in paid and free versions. Nessus is useful for finding and documenting vulnerabilities mostly from the inside of a given network.IBM AppScanhttp://www-01.ibm.com/software/awdtools/appscanIBM's automated Web application security testing suite.eEye Retinahttp://www.eeye.com/Products/Retina.aspxRetina is an an automated network vulnerability scanner that can be managed from a single web-based console. It can be used in conjunction with Metasploit where if an exploit exists in Metasploit, it can be launched directly from Retina to verify that the vulnerability exists.Nexposehttp://www.rapid7.comNexpose is a vulnerability scanner from the same company that brings you Metasploit. Available in both free and paid versions that differ in levels of support and features.OpenVAShttp://www.openvas.orgOpenVAS is a vulnerability scanner that originally started as a fork of the Nessus project. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011)HP WebInspecthttps://www.fortify.com/products/web_inspect.htmlHP WebInspect performs web application security testing and assessment for complex web applications. Supports JavaScript, Flash, Silverlight and others.HP SWFScanhttps://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swfHP SWFScan is a free tool developed by HP Web Security Research Group to automatically find security vulnerabilities in applications built on the Flash platform. Useful for decompiling flash apps and finding hard-coded credentials, etc.THC IPv6 Attack Toolkithttp://www.thc.org/thc-ipv6The largest single collection of tools designed to exploit vulnerabilities in the IPv6 and ICMP6 protocols.Pen Test Tools and Guidelines- http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines Security Tools and Version AnalysisTools Analysis helps the teams to select the applicable tools upfront and build required competency to use them / acquire license , well before test execution phase.Scanning is the phase where the vulnerabilities and the weak areas in the system / target can be identified. Tools to be finalized based on the application scope.Based on the Threat Modeling Analysis, understand the Trust Boundary.Analyze the present Risk Mitigation mechanism and derive test scenariosAnalysis the proposed Risk Mitigation mechanism and device the test scenariosThreat Modeling analysis to be done both at System and at Sub system levelSo OnSo OnSystem Scanning and further AnalysisTest Scenarios from Threat Modeling AnalysisCategoryTool / TechniqueApplicability AnalysisScanning of the system under test using Static Code AnalyzerFortify , CoverityDetermining if a system is alive Scanning ApplicationAppScan , Acunetix, RSAS , QRADAR. . Entity or Process Threat TypeApplicable ?Test Scenario based on Current MitigationTest Scenario based on Proposed MitigationRequirement 1SYesTNoRIDEVulnerability analysis is a process in which the vulnerability analysis of the system & Feature are conducted. The various ways in which it can be done are :Threat Modeling analysisReconnaissance Information Gathering System Level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis)Feature level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis)Security AreaDoes this Feature interact with Trust Boundary SSL Configuration usedEncryption Algorithm usedAnti-Attack ProtectionIdentity ManagementPassword ManagementSystem Level AnalysisFeature 1So OnSystem and Feature level Vulnerability AnalysisSystematic Penetration Testing Defects ExamplesWeb Server version based DefectsWeb Server version based DefectsEncryption issuesAddress ID issueSession ID bases Privilege EscalationCSRF issue Form keyUser scenario Bases SQL injectionPenetration Testing Practice platformsSome Anti PatternsAttack Surface analysis, Threat modeling not deeply practicedSecure design and code practices not practiced wellIgnoring some errors of Fortify /Coverity and other tools. Sometimes considering them as false positivesRelying too much on TestingThis is not a valid scenario. Customer would never test this way.Innocent until Proven- It should be Guilty unless provenReference: Reference: Software Security by Michael Hicks, CourseraConclusionBuild Security into the Life Cycle of product developmentFocus on Security CompetencyAssume Nothing, Believe Nobody, Check Everything.Following Penetration Test Design Methods-Reconnaissance-Scanning-Attack-Manage Access.References and Further Readingwww.cert.orgwww.owasp.orghttp://pr.huawei.com/en/connecting-the-dots/cyber-security/ http://pr.huawei.com/en/connecting-the-dots/cyber-security/hw-401493.htm#.VV6DBfBCijM https://msdn.microsoft.com/en-us/security/aa570330.aspx Building Secure Software John Viega, Gary McGrawCoursera Course - Software Security by Michael Hicks, University of MarylandTHANK YOUOrganized by: UNICOM Trainings & Seminars Pvt. Ltd.contact@unicomlearning.comwww.unicomlearning.com/IT_Security_and_Ethical_HackingSpeaker Name: Anish Cheriyan , Sriharsha NarayanamEmail ID: anishcheriyan@huawei.com, @anishcheriyan sriharsha.narayanam@huawei.comSheet1SoftwareURLDescriptionWindows OnlyMaltegohttp://www.paterva.com/web5The defacto standard for mining data on individuals and companies. Comes in a free community version and paid version.Nessushttp://tenable.com/products/nessusA vulnerabilty scanning tool available in paid and free versions. Nessus is useful for finding and documenting vulnerabilities mostly from the inside of a given network.IBM AppScanhttp://www-01.ibm.com/software/awdtools/appscanIBM's automated Web application security testing suite.*eEye Retinahttp://www.eeye.com/Products/Retina.aspxRetina is an an automated network vulnerability scanner that can be managed from a single web-based console. It can be used in conjunction with Metasploit where if an exploit exists in Metasploit, it can be launched directly from Retina to verify that the vulnerability exists.Nexposehttp://www.rapid7.comNexpose is a vulnerability scanner from the same company that brings you Metasploit. Available in both free and paid versions that differ in levels of support and features.OpenVAShttp://www.openvas.orgOpenVAS is a vulnerability scanner that originally started as a fork of the Nessus project. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011)HP WebInspecthttps://www.fortify.com/products/web_inspect.htmlHP WebInspect performs web application security testing and assessment for complex web applications. Supports JavaScript, Flash, Silverlight and others.*HP SWFScanhttps://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swfHP SWFScan is a free tool developed by HP Web Security Research Group to automatically find security vulnerabilities in applications built on the Flash platform. Useful for decompiling flash apps and finding hard-coded credentials, etc.*Backtrack Linux[1]One of the most complete penetration testing Linux distributions available. Includes many of the more popular free pentesting tools but is based on Ubuntu so it's also easily expandable. Can be run on Live CD, USB key, VM or installed on a hard drive.SamuraiWTF (Web Testing Framework)http://samurai.inguardians.comA live Linux distribution built for the specific purpose of web application scanning. Includes tools such as Fierce, Maltego, WebScarab, BeEF any many more tools specific to web application testing.SiteDiggerhttp://www.mcafee.com/us/downloads/free-tools/sitedigger.aspxSiteDigger 3.0 is a free tool that runs on Windows. It searches Googles cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.*FOCAhttp://www.informatica64.com/DownloadFOCAFOCA is a tool that allows you to find out more about a website by (amongst other things) analysing the metadata in any documents it makes available.*THC IPv6 Attack Toolkithttp://www.thc.org/thc-ipv6The largest single collection of tools designed to exploit vulnerabilities in the IPv6 and ICMP6 protocols.THC Hydrahttp://thc.org/thc-hydra/Hydra is a very fast network logon brute force cracker which can attack many different services and resources.*Cainhttp://www.oxid.it/cain.htmlCain & Abel is a password recovery tool that runs on Windows. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.*cree.pyhttp://ilektrojohn.github.com/creepy/cree.py gathers geolocation related information from social networking platforms and image hosting services. Then the information is presented in a map where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context.inSSIDerhttp://www.metageek.net/products/inssiderinSSIDer is a free gui-based wifi discovery and troubleshooting tool for Windows*Kismet Newcorehttp://www.kismetwireless.netKismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet passively collects packets from both named and hidden networks with any wireless adapter that supports raw monitor mode.Rainbow Crackhttp://project-rainbowcrack.comRainbow Crack is a password cracker that will run a pre-computed rainbow table against a given series of hashes.dnsenumhttp://code.google.com/p/dnsenumThink of dnsenum as a supercharged version of a whois query. It not only discovers all of the dns records but it goes a step further and attempts to use google to discover subdomains, discovers BIND versions and more.dnsmaphttp://code.google.com/p/dnsmapDnsmap is a passive dns mapper that is used for subdomain bruteforce discovery.dnsreconhttp://www.darkoperator.com/tools-and-scripts/DNS enumeration script written in ruby for performing TLD expansion, SRV record enumeration, host and subdomain brute force, zone transfer, reverse lookup and general record identification.dnstracerhttp://www.mavetju.org/unix/dnstracer.phpdnstracer determines where a given Domain Name Server (DNS) gets its information from and follows the chain of DNS servers back to the servers which know the data.dnswalkhttp://sourceforge.net/projects/dnswalkDnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy.Fiercehttp://ha.ckers.org/fierceFierce domain scan discovers non-contiguous IP ranges of a network.Fierce2http://trac.assembla.com/fierce/Fierce 2 is an updated version that is maintained by a new group of developers.FindDomainshttp://code.google.com/p/finddomainsFindDomains is a multithreaded search engine discovery tool that will be very useful for penetration testers dealing with discovering domain names/web sites/virtual hosts which are located on too many IP addresses. Provides a console interface so you can easily integrate this tool to your pentesting automation system.*HostMaphttp://hostmap.lonerunners.nethostmap is a free and automatic tool that enables the discovery of all hostnames and virtual hosts on a given IP address.URLcrazyhttp://www.morningstarsecurity.com/research/urlcrazyURLCrazy is a domainname typo generator. This will allow you to find squatted domains related to your target company and possibly generate some of your own.theHarvesterhttp://www.edge-security.com/theHarvester.phptheHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers.The Metasploit Frameworkhttp://metasploit.comMetasploit is an ever-growing collection of remote exploits and post exploitation tools for all platforms. You will want to constantly run svn updates on this tool since new features and exploits are added nearly daily. Metasploit is both incredibly powerful and complex. For further guidance, check out this book http://nostarch.com/metasploit.htm .The Social-Engineer Toolkit (SET)http://www.secmaniac.com/download/The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. Amongst other things, SET allows you to craft malcious emails and dummy websites based on legitimate ones to compliment a social engineering attack.Fast-Trackhttp://www.secmaniac.com/download/Fast-Track is an automated pentesting tool suite. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. It runs on Linux and depends on Metasploit 3.http://www.paterva.com/web5http://tenable.com/products/nessushttp://www-01.ibm.com/software/awdtools/appscanhttp://www.eeye.com/Products/Retina.aspxhttp://www.rapid7.comhttp://www.openvas.orghttps://www.fortify.com/products/web_inspect.htmlhttps://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf[1]http://samurai.inguardians.comhttp://www.mcafee.com/us/downloads/free-tools/sitedigger.aspxhttp://www.informatica64.com/DownloadFOCAhttp://www.thc.org/thc-ipv6http://thc.org/thc-hydra/http://www.oxid.it/cain.htmlhttp://ilektrojohn.github.com/creepy/http://www.metageek.net/products/inssiderhttp://www.kismetwireless.nethttp://project-rainbowcrack.comhttp://code.google.com/p/dnsenumhttp://code.google.com/p/dnsmaphttp://www.darkoperator.com/tools-and-scripts/http://www.mavetju.org/unix/dnstracer.phphttp://sourceforge.net/projects/dnswalkhttp://ha.ckers.org/fiercehttp://trac.assembla.com/fierce/http://code.google.com/p/finddomainshttp://hostmap.lonerunners.nethttp://www.morningstarsecurity.com/research/urlcrazyhttp://www.edge-security.com/theHarvester.phphttp://metasploit.comMetasploit is an ever-growing collection of remote exploits and post exploitation tools for all platforms. You will want to constantly run svn updates on this tool since new features and exploits are added nearly daily. Metasploit is both incredibly powerful and complex. For further guidance, check out this book http://nostarch.com/metasploit.htm .http://www.secmaniac.com/download/http://www.secmaniac.com/download/Sheet2Sheet3

Recommended

View more >