Professional Documents
Culture Documents
Pentest Open 03 2013
Pentest Open 03 2013
Pentest Open 03 2013
With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.
You can customize the audit policy for your customers specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues. Why not see for yourself, evaluate for free at titania.com
Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade.
He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titanias products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.
www.titania.com
Managing Editor: Patrycja Przybyowicz patrycja.przybylowicz@software.com.pl Betatesters & Proofreaders Jeff Smith, Cleiton Alves, Hani Ragab, Karol Sitec, Dalibor Filipovic, Eric Geissinger, Amit Chugh, Ricardo Puga, Dan Dieterle, Gregory Chrysanthou, Harish Chaudhary, Abhishek Kar, Gareth Watters, Eric De La Cruz Lugo, Barry Grumbine, Wayne Kearns, Steven Wierckx, Jakub Walczak, Artem Shishkin, Donald Iverson, Ewa Duranc, Stefanus Natahusada,Tzvi Spitz, Vaman Kini, Jeff Weaver, Vaman Amarjeet, Larry Karisny, Gavin Inns, Vaman Amarjeet, Abhishek Koserwal, Peter Harmsen, Hussein Rajabali Senior Consultant/Publisher: Pawe Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them.
e would like to present you the third issue of PenTest Open a free monthly publication, where you can read some of our best articles from last month. This time you will find here a selection of really good tutorials written by our best authors and experienced pentesters. We hope that this read will help you to improve your skills and allow you to broaden your horizons. We start with Gugliemo Scaiolas tutorial, where he presents how to create an own SQLi test lab. By establishing the virtual environment for your work, you will be able to test your skills in a legal and effective way. Austin Scotts article is dedicated to data diodes, that are used in applications requiring the highest level of security, such as state secret protection. He explores the inner workings and practical control system applications of the uni-directional gateways and provides a step by step guide showing how to create your own using Open Source Software. Terrance Stachowski will teach you how to prepare a professional and detailed penetration test results report. Take advantage of his experience and knowledge, that he agreed to share with you. Since the work of penetration tester often requires to be mobile, Domagoj Vrataric in his short tutorial will show you how you can achieve it by transforming your tablet into pentest platform. On the other hand, Albert Whale describes the changes being made in the Homeland Security activities for new software in development, and how they are improving our overall security. From his article you will find out which activities can fit into their Software Development Lifecycle (SDLC) programs to further benefit other organizations as well. The article by Prashant Mishra deals with the problem of internal security matters within any organization and puts the accent on the importance of a well constructed Information Security Policy in the company. We hope that you will find this selection of articles, worth your time and will enjoy the reading.
Dear Readers
PenTest Team
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
OPEN 03/2013
Page
http://pentestmag.com
CONTENTS
06
net from anywhere. The security within any organization starts with building a Security Policy, a centralized, evolving document defining what is allowed and what is not.
By Guglielmo Scaiola
Enter virtualization technology where it is possible to create an extensive lab without the risk to be jailed.There are many virtual machine technologies to choose from: Vmware Esxi and Vmware workstation, Microsoft HyperV, Xen, or VirtualBox Your choice may be related to your favorite operating system or your computer hardware. The author in his professional work, uses different virtualization products. However in this article, he describes Vmware Workstation 8, but you can transform the examples with a few modifications to another virtual environment.
14
By Austin Scott
Originally designed by government organizations to protect top secret information, data diodes are most commonly used in ap-plications requiring the highest level of security such as state secret protection, banking or battlefield up-links. In recent years we could observe an increasing demand for data diodes in the world of industrial control and automation to protect critical in-frastructure due to the simple and virtually impenetrable nature of these devices. In this article the author explores the inner workings and practical control system applications of these uni-directional gateways and provide a step by step guide to creat-ing your own using open source software.
SOCIAL ENGINEERING
By Prashant Mishra
These days about 90% of the business depends on Information Security as it can be accessible through Inter-
OPEN 03/2013
Page
http://pentestmag.com
here are many virtual machine technologies to choose from: Vmware Esxi and Vmware workstation, Microsoft HyperV, Xen, or VirtualBox Your choice may be related to your favorite operating system or your computer hardware. In my professional work, I use different virtualization products, but in this article, I will use Vmware Workstation 8, but you can transform the examples without with a few modifications to another virtual environment. I will assume that the virtualization system is already properly installed. After this, the first step is the preparation of the attacking machine. I think that nowadays the choice is obvious: Backtrack, (http://www.backtrack-linux.org/downloads/), after which you can install it in a new virtual machine. If you want to maintain a good working lab and follow these exercises, I do not recommend to using the live version, since the exercises will go better if you persistently update your installations with the latest version. The second step, after you have properly conFigured the network adapter, is the upgrade of the attacking machine. You can do this with these simple instructions: root@bt:~# apt-get update root@bt:~# apt-get upgrade. (See Figure 1). Now we can setup the IP address, in my case is 192.18.254.1/24. It is also better to stop the DHCP client started by default, to avoid losing your IP address. (See Figure 2).
OPEN 03/2013
Now we can install the target machine. For this lab I will install a Windows 2K8 R2 machine. If you do not have a regular license you can download the 180 days trial version at http://www.microsoft.com/ en-us/download/details.aspx?id=11093, but if you think you will be creating a lot of labs with the Windows system, the best ways is to subscribe a Micro-
Page 6
soft Technet subscription. With this subscription you can download all Microsoft Operating System for testing purpose without expiration. You can use the default installation and after configuring the network card (in my lab the IP address is 192.168.254.202), you can install all of the Windows updates. The purpose of this lab is to attack the web page and the back-end database. After that you need to download Xampp, which is a simple wamp (Windows, Apache, MySQL and PHP) package (http:// www.apachefriends.org/it/xampp.html). The installation of this package is very windows-like: next... next...next I downloaded and installed the portable lite version and I shorten the path to c:\xampp. After the completion of Xampp installation you have a complete Apache environment, powered by PHP and MySQL, and for administering Xampp, there is a friendly console, xampp-control in the xampp directory. (See Figure 3). Depending on your needs it is possible to remove HTTPS, using the config button, Apache (httpd-ssl.conf). (See Figure 4).
And you put a # for comment the row listen 443. (See Figure 5). Now you can start Apache without any problems. If you have the default configuration in Windows 2K8 server, you need another little step to make it work correctly. You must enable Apache on Windows Firewall. The fastest way to do this in our lab is to enable Notify me when Windows firewall blocks a new program. Go to the control panel system and security windows firewall change notification settings and here you can set new notification status. (See Figure 6). After set Notify me when Windows firewall blocks a new program, if you start Apache from the Xampp console, a pop-up warning will appear asking to allow you to access, your Apache daemon work properly. (See Figure 7). The last step to build your complete lab is to download the vulnerable web application. For this test I have chosen Damn Vulnerable Web App (http:// www.dvwa.co.uk/). This web application is built with a lot of vulnerabilities and in this article we will look
Figure 7. Ops
Page 7
http://pentestmag.com
Figure 11. :(
Figure 9. It works
http://pentestmag.com
login .php and this page need authentication.(See Figure 12). The username is admin and password is password. (See Figure 13). Now, we are ready to try the lab exercises. If you need a little video for reviewing the DVWA installation, you can find it at http://www.youtube. com/watch?v=GzIj07jt8rM.
After setting up the lab, we need to know all the tools that we will use in the exercise. The first one is sqlmap (http://sqlmap.org/) and is my preferred for sql injection application. In my opinion, it has a very good balance between power, simplicity and flexibility, sqlmap support a lot of
databases engines, various injection techniques, six types for the nerds, is capable to dump databases tables, download and upload files, execute commands and it has a bunch of other nice features. (See Figure 14). In this exercise we will see some basic, but interesting, features of this tool, and we need also to keep in mind that the website needs authentication, and this authentication is performed between cookies. Sqlmap is able to manage the cookies, but how do we capture them? Which tool is able to do that? For the demo, capturing cookies, I try two techniques: The first is the use of a Firefox plug-in, and The second one is a very powerful tool called burp suite. (http:// www.portswigger.net/burp/). (See Figure 15). Burp suite is an integrated platform for testing web apps. It is possible to buy the more powerful, professional suite, with more functions like Burp Intruder or Burp Scanner, but for testing purpose it is sufficient to use the free edition. With Burp proxy, after configuring the web browser for this, it is possible to pause an HTTP sessions and manipulate the GET and POST traffic. If you need only a part of these features, you can use Firefox plugin called tamper data. With tamper data you can pause the session in the same manner as the burp proxy and intercept cookies. In backtrack, all these tools are installed by default. (See Figure 16).
Figure 14. We meet with sqlmap Figure 16. The little friend tamper data
http://pentestmag.com
the proxy configuration in firefox edit preference advanced network settings, I set manual proxy configuration with http proxy address 127.0.0.1 and port 8080 and I save the configuration. (See Figure 19). Now I get the login page of my vulnerable web app, every time a page is transmitted or received burp will prompt you with a flashing icon, where you can choose to go forward with the button forward button. Again, you must login using username and password when prompted from application, and now you can intercept the phpsessid in burp. (See Figure 20). After this you can close burp and delete proxy configuration on Firefox. In the real world we can intercept this session id with sniffing or with other stealing techniques. In the image you can see intercepting cookie with sniffing the wire with Wireshark. (See Figure 21). Now the first step is finished. I have the session cookie and I can use it to inject the application with sqlmap. Backtrack sqlmap is located in /pentest/database/sqlmap/, but before the injection I take a look of the vulnerable web page. The page is http://192.168.254.202/dvwa/vulnerabilities/sqli and you can connect at this page with the button sql injection on the left of the login page. I tried some input to the page. I tried inserting 1 on user id tab, now I can copy the URL
http://pentestmag.com
and I can use as the injection URL for sqlmap. (See Figure 22). For testing my injection I need some parameters, the first is the session cookie, which I already have, the second is the vulnerable URL, I have that also (In the real word, I might not know where the vulnerable one is located and I need to try ALL possible vulnerable URLs, but for testing purpose I submit directly the vulnerable URL). One manner to try sql injection is the insertion of single quote on input, if we are using low security level in dvwa we can see an error page. (See Figure 23). But, if we use the dvwa security level set on high we do not see anything and, naturally, I want to use high security. In dvwa, for learning purpose, the cookie can manage the security level security=high, but in real life this is not that easy. (See Figure 24). Next, I open a shell and change directory with cd / pentest/database/sqlmap/ and I try my first automated
This string, if the security level is set to high, does not work, as you can see in the next image. (See Figure 25). Now I try to inject my second string: ./sqlmap.
If you use the security level set to low, the injection is simple, but with security level to medium, the PHP function mysql_real_escape_string is used to pre-pend backslashes to the following characters: \x00, \n, \r, \, , and \x1a. This means that the (SQL server will interpret single, or double quotes as text. At this point it is necessary to enter any text requiring quotes as their ASCII hex-en-
http://pentestmag.com
tables becomes: ./sqlmap.py --cookie=security =medium;PHPSESSID=gl9kses7umi8rvmo34l184ka22 -u http://192.168.254.202/dvwa/vulnerabilities/ sqli/?id=1&Submit=Submit# --string=Surname -D dvwa --tables (see Figure 28). And the result is shown on Figure 29. Now, we dump the table I think that the users table is more interestinglook inside with this injection, so I try: ./sqlmap.py --cookie=security=medium;
It is not too difficult to suppose that the database name is dvwa and I give these info in sqlmap injection as a parameters. Now, with this additional info the injection string for extracting database
Ok, now I have the username and the password hash (if in your application the passwords are in plaintext, the task is already ended at this step), and if I suppose that these hashes are encoded with MD5 algorithm, I can try to crack them in different manners. Today I try to crack with querying a website: http://www.md5decrypter.co.uk/ (see Figure 31). But, it is possible to crack the MD5 hash with rainbow tables, or with the Evergreen john the ripper.
PHPSESSID=gl9kses7umi8rvmo34l184ka22 -u http://192.168.254.202/dvwa/vulnerabilities/ sqli/?id=1&Submit=Submit# --string=Surname -D dvwa -T users dump (see Figure 30).
Figure 31. Sorry john the ripper, tonight I dont want to work hard
Page 12
http://pentestmag.com
Just for ending the article, if you set the security level to high, you will use these two functions: stripslashes and is_numeric. The specific piece of code is:
// Retrieve data $id = $_GET[id]; $id = stripslashes($id); $id = mysql_real_escape_string($id); if (is_numeric($id)){ $getid=SELECT first_name, last_nameFROM users WHERE user_id = $id; $result=mysql_query($getid) or die(<pre> . mysql_error() . </pre> );
This code is pretty secure, in my knowledge, the idea of the DVWA developers, was to learn how to write secure code to other developer. At this URL http://0xzoidberg.wordpress.com/2010/06/13/sqlinjection-dvwa-continued/ you can find some additional information about the code. It is also interesting to analyze the use of the deprecated function magic_quote in an attempt to increase security: http://blog.kotowicz.net/2009/10/ hardening-php-magicquotesgpc-false.html. I hope this article served you to begin to take the first steps into the world of web application security , especially without going to jail. DVWA offers a lot of other examples in various issues, and you can find other vulnerable apps, on-line or with installation on local web servers for testing and improving your skills without risk. Hack to live, live to hack!
Guglielmo Scaiola has worked as an I.T. Pro, since 1987. He is a freelance consultant, pentester and trainer, and works especially in the banking environment. Over the years he has achieved several certifications, including: MCT, MCSA, MCSE, Security +, Lead Auditor ISO 27001, ITIL, eCPPT, CEI, CHFI, CEH and ECSA. In 2011 he was awarded the Ec-Council Instructor Circle of Excellence. He can be contacted at s0ftwar@ miproparma.com.
OPEN 03/2013
Guglielmo Scaiola
http://pentestmag.com
Defending Industrial
Control Systems with Data Diodes
Originally designed by government organizations to protect top secret information, data diodes are most commonly used in applications requiring the highest level of security such as state secret protection, banking or battlefield up-links.
n recent years I have seen an increasing demand for data diodes in the world of industrial control and automation to protect critical infrastructure due to the simple and virtually impenetrable nature of these devices. In this article we will explore the inner workings and practical control system applications of these unidirectional gateways and provide a step by step guide to creating your own using open source software.
sure the safety of sensitive information within a network. I prefer to call them Data Diodes when speaking about Industrial Control and Automation System (Aka ICAS / ICS / SCADA / DCS systems) security because anyone with an electrical background almost instantly recognizes their function. By creating a physical barrier that only allows data transfers in one direction (hence the uni in unidirectional) we can enhance security in one of two ways: Making a network segment write only (see Figure 1).
Sometimes known as a unidirectional network or unidirectional security gateway, data diodes en-
http://pentestmag.com
Making a network segment read only (the more common configuration for control systems), see Figure 2.
Strength in Simplicity
The strength of a Data Diode is its simplicity. At the core of all data diodes is a simple duplex fiber optic connection (fiber optic connections often have a dedicated send / receive fiber strand) with either the send or receive fiber disconnected. Severing one of the physical fiber connections makes it impossible to send data in one direction. (See Figure 3).
Figure 3. Fiber Optic Patch Cable link at the Heart of a Data Diode
Data diodes were originally developed for use in the defense industry in order to protect top secret information from getting into the wrong hands. If you read the marketing materials put out by the data diode vendors you will see they are sprinkled with military terms like tactical deployment and warfighter operations which is a clear indication of the audience they are targeting. Most data di-
http://pentestmag.com
ICSSec (Industrial Control System and Automation System Security) in the Real World
If you believe in the so called control system Air Gap then I have a unicorn farm run by leprechauns I would love to sell you. I will not dispute the fact that it is a terrible idea to directly connect any piece of industrial equipment or SCADA system to the Internet. However, in my experience most control systems are indirectly connected to the Internet. Why would anyone be foolish enough to indirectly connect a SCADA / DCS system to the Internet? The answer is simple, people need the data. The data generated by an industrial control system is pure gold; far too valuable to not be connected to the corporate network. Data taken directly from the SCADA / DCS is used by most business units in an organization, for example: Accounting How many widgets did we produce? How much oil did we pump? How much process downtime did we have? Regulatory Compliance How much greenhouse gas did our process produce? Did the formula change for the drug we are manufacturing? Health and Safety For the past 15 years has the toxic gas our workers have been exposed to been within a safe limit? Preventative Maintenance How many running hours until we need to rebuild that motor? Process Optimization What are the most common alarms? How long does it take the operator to intervene in the SCADA system when the pro cess enters an abnormal situation? What was the energy usage in DCS A compared to DCS B? Quality Control Was there a problem with the process while we were making the product with serial #192813? Keep in mind that many control systems are in remote locations, far from the corporate headquarters that pay their bills. Most people are not willing to jump on a plane to collect some data they need for a report and reading values over
Page 16
http://pentestmag.com
http://pentestmag.com
If you are familiar with TCP/IP (Transmission Control Protocol), you are probably questioning the practicality of such a solution as TCP/IP requires two way communication to work. TCP/IP requires a two way handshake (SYN / ACK) in order to establish a connection and terminate a connection. In fact there is a very common misconception that it is impossible to use TCP/IP connections through a data diode. (See Figure 6). There are two ways around this problem:
Figure 8. Two Bare Bone Mini-PCs for our homemade data diode
OPEN 03/2013
Figure 9. Two PCI Express Fiber Optic ST Cards for the Fiber Optic Link in our do-it-yourself Data Diode
Page 18
http://pentestmag.com
UDP (User Datagram Protocol) variants of protocols should be used when available. UDP is a lightweight protocol typically used for speed as it does not waste network bandwidth by handshaking or data integrity checksums. TCP/IP client-server reverse proxies on ei ther end of the data diode can be setup to respond to the hand shaking requests auto matically without the need to actually send any data back to the insecure network. A re verse proxy server retrieves data from anoth er computer and serves it up as if it were the original source. Reverse proxies are most frequently used to speed up the delivery of web content and reduce the load on the con tent main server. The client-server proxies solution should work in most cases however, thorough testing should be completed in a lab environment before deploying a data di ode solution into an ICS. (See Figure 7).
If you were to crack open a typical data diode you will see it is simply made up of two mini-pcs with a fiber-optic link running between them. There are dozens of patents around variants of data diodes and data diode software. For example there is a patent for a data diode that only uses a single computer to handle both ends of the connection (which seems less secure to me). A fiber link between two computers is far too simple a concept to patent, so you wont end up in court creating a data diode in this configuration. Now lets step through the process of creating our own data diode.
It is important to find a small form factor computer which supports a PCI-Express card for our two fiber optic PCI-Express cards (reverse) proxy servers. For most industrial applications I would purchase a couple of fan-less industrial PCs with solid state hard drives that can be stored in a locked computer panel box or server room. For the purposes of our proof of concept I will purchase two low cost PCs: Slim Bare bones PC with a PCI-Express card slot Solid State Hard Disk drive 2 Gigs memory i5 Processor These PCs should come with an integrated Ethernet card which we will plug our network connection through. 2 x Barebones PC with PCI-Express card slot $600.00 each (see Figure 8).
Figure 10. The heart of our handcrafted unidirectional gateway is the ST Fiber Optic Patch cable
OPEN 03/2013
If you dont have experience with fiber optic networks you need to be aware of the many standards and modes that are available. It is critical that you select fiber optic cards and a patch cable that are all compatible. I have selected multi-mode Fiber-to-the-desk PCI-Express card with ST connectors which make it very easy to disconnect one of the fiber l inks. 2 x Gigabit Ethernet Multi-Mode ST Fiber Card 1000Mbps PCI-Express $200.00 each (see Figure 9).
Page 19
http://pentestmag.com
I prefer to use OpenBSD because it is free, open source, Ultra-secure out of the box and I have friends here in Calgary who are OpenBSD gurus.
Conclusion
Depending on the data you want to replicate you can either configure an open source reverse proxy like nginx (engine x) and use your databases web services to replicate the data.
Once you have your two proxy servers configured and communicating to each other you can simply
Data Diodes represent a simple yet virtually impenetrable way of segmenting a network. They have been used for years to secure classified information by government organizations and are an excellent complement to firewalls in a typical control systems defense in depth strategy. Adding a data diode to your network doesnt have to cost tens of thousands of dollars either. You can reap the benefits of a unidirectional data diode for a few thousand dollars and some technical elbow grease.
Austin Scott is CEO of Synergist SCADA Inc and heads up a talented team that offers a consummate blend of controls expertise, industry know-how, and advanced software development skills. Synergist SCADA Inc. is focused on maximizing the effectiveness of our customers SCADA investment. We provide control systems design, upgrade strategies, HMI / SCADA / PLC programming, security audits, and field services. Austin Scott is currently authoring a book on pragmatic ICS Security practices that is due out this summer.
Page 20
Austin Scott
http://pentestmag.com
AnDevCon is a trademark of BZ Media LLC. Android is a trademark of Google Inc. Googles Android Robot is used under terms of the Creative Commons 3.0 Attribution License.
SOCIAL ENGINEERING
Scope
How sensitive information must be handled How to properly maintain your ID(s) and password(s), as well as any other accounting data. How to respond to a potential security incident, intrusion attempt, etc. How to use workstations and Internet connectivity in a secure manner. How to properly use the corporate e-mail system.
to the organization functioning in an efficient manner and to providing products and services to customers. The organization holds and processes confidential and personal information on private individuals, employees, partners and suppliers and information relating to its own operations. In processing information the organization has a responsibility to safeguard information and prevent its misuse. The purpose and objective of this Information Security Policy is to set out a framework for the protection of the organizations information assets: to protect the organizations information from all threats, whether internal or external, deliberate or accidental, to enable secure information sharing, to encourage consistent and professional use of information, to ensure that everyone is clear about their roles in using and protecting information, to ensure business continuity and minimize business damage, to protect the organization from legal liability and the inappropriate use of information. The Information Security Policy is a high level document, and adopts a number of controls to
http://pentestmag.com
Introduction
Information is an asset that the organization has a duty and responsibility to protect. The availability of complete and accurate information is essential
OPEN 03/2013
Page 22
protect information. The controls are delivered by policies, standards, processes, procedures, sup ported by training and tools.
systems can access information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used: Information classification Secure document storage Application of general security policies Education of information custodians and end users.
To ensure that the company continually operates in accordance with the specified policies or procedures and external requirements in meeting company goals and objectives in relation to information security. To ensure that improvements to the ISMS (Information Security Management System) are identified, implemented and suitable to achieve objectives.
Integrity
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted.
Availability
Confidentiality
Confidentiality of information ensures that only those with sufficient privileges may access certain information. When unauthorized individuals or
Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format. A user in this definition maybe either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.
OPEN 03/2013
Page 23
http://pentestmag.com
SOCIAL ENGINEERING
Privacy Policy for customers
It is a part of our companys core values that we will properly value and protect any information entrusted to us about our customers. This policy describes how we will safeguard personal and company information, to ensure peace of mind when dealing with our company. It is our policy that: Our company will collect only that information about customers which is needed and relevant. Our company will not disclose information to other parties unless customers have been properly notified of such a disclosure. Our company will strive to make certain that information about customers is kept accurate and up-to-date. Our company will use appropriate controls to ensure that this information is kept secure, and is only viewed or used by the proper personnel. Our company will comply with applicable laws, regulations, and industry standards when protecting employee information. We hold our employees, vendors, contractors, suppliers, and trading partners to meet this same set of policies. A basic approach would be: Identify what youre trying to protect Look at whom youre trying to protect it from Define what the potential risks are to any of your Information Assets Consider monitoring the process continually in order to be up to date with the latest security weaknesses. A possible list of categories to look at would be: Hardware: All servers, workstations, personal computers, laptops, removable media (CDs, floppies, tapes, etc.), communication lines, etc. Software: Identify the risks of a potential security problem due to outdated software, infrequent patches and updates to new versions, etc. Personnel: Those who have access to confidential information, sensitive data, those who own, administer or in any way modify existing databases.
Risk Management
Physical/Desktop & Password Security Policy. No third party or any other employee can enter on the floor without access card. Employee with company ID card are allowed on the floor. System can be accessible unique ID and Password. No personal data can be stored on the system. No data can be transferred through Bluetooth or wifi. No third party tool can be installed on the system. Unofficial site should be blocked. Only licensed version software should be used. Floopy, CD, Harddrive not allowed in the office. No company assets can be login remotely. Critical infrastructure should be placed in a secure location (preferably a locked room) to prevent unauthorized access. Ensure that portals to critical infrastructure are closed and locked. Do not let unauthorized laptops or memo ry sticks into a secure location. If laptops or memory sticks are required, set up processes to ensure that all portable media are scanned for malware with up to date scanning software before allowing contact with a network host.
http://pentestmag.com
As in any other sensitive procedure, Risk Analysis and Risk Management play an essential role in the proper functionality of the process. Risk Analysis is the process of identifying the critical information assets of the company and their use and functionality an important (key) process that needs to be taken very seriously. Essentially, it is the very process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to protect it. In order to be able to conduct a successful Risk Analysis, you need to get well acquainted with the ways a company operates; if applicable, the ways of working and certain business procedures, which information resources are more important than others (prioritizing), and identifying the devices / procedures that could lead to a possible security problem. List everything that is essential for the proper functionality of the business processes; like key applications and systems, application servers, web servers, database servers, various business plans, projects in development, etc.
OPEN 03/2013
Page 24
ID Management
Each user should have a unique user name and password. Usernames and passwords should not be shared to enable easier tracking of system events. Solutions must enable the creation, editing, and deletion of users while the system is active. System must not provide a back door allowing bypass of authentication procedures. Critical data like user names and passwords must be stored in a secure data repository using encryption technology. Access rights to the repository require authentication and should be made available only to trusted personnel. Implement password aging. Passwords should be more than 8 characters, alphanumeric, special character, and a mix of upper and lower case characters. Users should change the password after first login with the default password. Authorized should change the default password on equipment. Use switch port-based MAC address management to deny access to non-authorized users. Remote authentication should use encryption technology to transfer user name and password through the system. Limit software installation and execution privileges to specific employees. When risk is high, implement two and three factor authentication (password, physical device smart key, and biometrics) or real-time confirmation by a second person. Restrict user access to data archives. Authentication should be required to modify product firmware.
The combined result of these steps should be a reasonable level of protection for the servers OS.
Securing the server Operating System. After the installation and deployment of the OS, the following basic steps are necessary to secure the OS: Patch and update the OS Harden and configure the OS to address security adequately.
Test the security of the OS to ensure that the previous steps adequately address all security issues.
Remove or Disable Unneeded Default Accounts The default configuration of the OS often includes
SOCIAL ENGINEERING
guest accounts (with and without passwords), administrator or root level accounts, and accounts associated with local and network services. The names and passwords for those accounts are well known. Remove (whenever possible) or disable unnecessary accounts to eliminate their use by attackers, including guest accounts on computers containing sensitive information. For default accounts that need to be retained, including guest accounts, severely restrict access to the accounts, including changing the names (where possible and particularly for administrator or root level accounts) and passwords to be consistent with the organizational password policy. Default account names and passwords are commonly known in the attacker community. Disable Non-Interactive Accounts Disable accounts (and the associated passwords) that need to exist but do not require an interactive login. For Unix systems, disable the login shell or provide a login shell with NULL functionality (e.g., /bin/ false). Create the User Groups Assign users to the appropriate groups. Then assign rights to the groups, as documented in the deployment plan. This approach is preferable to assigning rights to individual users, which becomes unwieldy with large numbers of users. Create the User Accounts The deployment plan identifies who will be authorized to use each computer and its services. Create only the necessary accounts. Permit the use of shared accounts only when no viable alternatives exist. Have ordinary user accounts for server administrators that are also users of the server. Configure Automated Time Synchronization Some authentication protocols, such as Kerberos, will not function if the time differential between the client host and the authenticating server is significant, so servers using such protocols should be configured to automatically synchronize system time with a reliable time server. Typically the time server is internal to the organization and uses the Network Time Protocol (NTP) for synchronization; publicly available NTP servers are also available on the Internet. Check the Organizations Password Policy Set account passwords appropriately. Elements that may be addressed in a password policy include the following: Length a minimum length for passwords i.e 8 characters.
OPEN 03/2013
Complexity the mix of characters required. An example is requiring passwords to contain uppercase letters, lowercase letters, and nonalphabetic characters, and to not contain dictionary words. Aging how long a password may remain unchanged. Many policies require users and administrators to change their passwords periodically. In such cases, the frequency should be determined by the enforced length and complexity of the password, the sensitivity of the information protected, and the exposure level of passwords. If aging is required, consideration should be given to enforcing a minimum aging duration to prevent users from rapidly cycling through password changes to clear out their password history and bypass reuse restrictions. Reuse whether a password may be reused. Some users try to defeat a password aging re quirement by changing the password to one they have used previously. If reuse is prohibited by policy, it is beneficial, if possible, to ensure that users cannot change their passwords by merely appending characters to the beginning or end of their original passwords (e.g., original password was mysecret and is changed to 1mysecret or mysecret1). Authority who is allowed to change or reset passwords and what sort of proof is required before initiating any changes. Password Security how passwords should be secured, such as not storing passwords unencrypted on the server, and requiring administrators to use different passwords for their server administration accounts than their other administration accounts. Some common tips for password Security: Always use at least 8 character password with combination of alphabets, numbers and special characters (>, %, @, #, $, ^) Use passwords that can be easily remembered by you Change password regularly as per policy Use password that is significantly different from earlier passwords. Some common tips which we should not follow are: Dont use passwords which reveals your personal information or words found in dictionary.
http://pentestmag.com
Page 26
Dont write down or Store passwords. Dont share passwords over phone or Email. Dont use passwords which do not match above complexity criteria.
OSs often do not include all of the security controls necessary to secure the OS, services, and applications adequately. In such cases, administrators need to select, install, configure, and maintain additional software to provide the missing controls. Commonly needed controls include the following: Anti-malware software, such as antivirus software, anti-spyware software, and rootkit detectors, to protect the local OS from malware and to detect and eradicate any infections that occur. 20 Examples of when anti-malware software would be helpful include a system administrator bringing infected media to the server and a network service worm contacting the server and infecting it. Host-based intrusion detection and prevention software (IDPS), to detect attacks performed against the server, including DoS attacks. For example, one form of host-based IDPS, file integrity checking software, can identify changes to critical system files. Host-based firewalls, to protect the server from unauthorized access. Patch management or vulnerability management software to ensure that vulnerabilities are addressed promptly. Patch management and vulnerability management software can be used only to apply patches or also to identify new vulnerabilities in the servers OSs, services, and applications.
designed to compromise a network using the tools and methodologies of an attacker. It involves iteratively identifying and exploiting the weakest areas of the network to gain access to the remainder of the network, eventually compromising the overall security of the network. Vulnerability scanning should be conducted periodically, at least weekly to monthly, and penetration testing should be conducted at least annually. Because both of these testing techniques are also applicable to testing the server application. Factors to be considered when deciding whether to test the production server or a similarly configured non-production server include the following: The possible impact to the production server. If a certain test technique likely to cause a denial of service, then that technique should probably be used against the non-production server. The presence of sensitivity personally identifiable information (PII), If testing could expose sensitive PII, such as Social Security Numbers (SSN) or credit card information, to people without authorization to see it, then organizations should consider performing the testing on a non-production server that holds a false version of the PII (e.g., test data instead of actual sensitive PII). How similar is the production and non-production servers can be configured. In practice, there are usually inconsistencies between the test and production environments, which can result in missed vulnerabilities if the non-production servers are used.
Logging
Periodic security testing of the OS is a vital way to identify vulnerabilities and to ensure that the existing security precautions are effective and that security controls are configured properly (for example, the required cryptographic algorithms are in use to protect network communications). Common methods for testing OSs include vulnerability scanning and penetration testing. Vulnerability scanning usually entails using an automated vulnerability scanner to scan a host or group of hosts on a network for application, network, and OS vulnerabilities. Penetration testing is a testing process
OPEN 03/2013
Logging is a cornerstone of a sound security posture. Capturing the correct data in the logs and then monitoring those logs closely is vital. Network and system logs are important, especially system logs in the case of encrypted communications, where network monitoring is less effective. Server software can provide additional log data relevant to server-specific events. Reviewing logs is mundane and reactive, and many server administrators devote their time to performing duties that they consider more important or urgent. However, log files are often the only record of suspicious behavior. Enabling the mechanisms to log information allows the logs to be used to detect failed and successful intrusion attempts and to initiate alert mechanisms when further investigation is needed. Procedures and tools need to be in place to process and analyze the log files and to review alert notifications.
http://pentestmag.com
Page 27
SOCIAL ENGINEERING
Server Logs Provide
Alerts to suspicious activities that require further investigation. Tracking of an attackers activity. Assistance in the recovery of the server. Assistance in the post recovery of the server. Required information for the local proceedings. The selection and implementation of specific server software determines which actions the server administrator should perform to estab lish logging configurations. Differential backups reduce the number of backup sets that must be accessed to restore a configuration by backing up all changed data since the last full backup. However, each differential backup increases as time lapses from the last full backup, requiring more processing time and storage than would an incremental backup. Generally, full backups are performed less frequently (weekly to monthly or when a significant change occurs), and incremental or differential backups are performed more frequently (daily to weekly). The frequency of backups will be determined by several factors: Volatility of information on the site Static content (less frequent backups) Dynamic content (more frequent) E-commerce/e-government (very frequent backups) Volatility of configuring the server Type of data to be backed up (e.g., system, ap plication, log, or user data) Amount of data to be backed up Backup device and media available Time available for dumping backup data Criticality of data Threat level faced by the server Effort required for data reconstruction without data backup Other data backup or redundancy features of the server (e.g., Redundant Array of Inexpensive Disks [RAID]).
All organizations need to create a server data backup policy. Purpose of the policy Parties affected by the policy Servers covered by the policy Definitions of key terms, especially legal and technical Detailed requirements from the legal, business, and organizations perspective Required frequency of backups Procedures for ensuring data is properly retained and protected Procedures for ensuring data is properly destroyed or archived when no longer required Procedures for preserving information for Free dom of Information Act (FOIA) requests, legal investigations, and other such requests Responsibilities of those involved in data retention, protection, and destruction activities Retention period for each type of information logged Specific duties of a central/organizational data backup team, if one exists.
Three primary types of backups exist: full, incremental, and differential. Full backups include the OS, applications, and data stored on the server (i.e., an image of every piece of data stored on the server hard drives). The advantage of a full backup is that it is easy to restore the entire server to the state (e.g., configuration, patch level, data) it was in when the backup was performed. The disadvantage of full backups is that they take considerable time and resources to perform. Incremental backups reduce the impact of backups by backing up only data that has changed since the previous backup (either full or incremental).
OPEN 03/2013
Most organizations eventually face a successful compromise of one or more hosts on their network. Organizations should create and document the required policies and procedures for responding to successful intrusions. The response procedures should outline the actions that are required to respond to a successful compromise of the server and the appropriate sequence of these actions (sequence can be critical). Most organizations already have a dedicated incident response team in place, which should be contacted immediately when there is suspicion or confirmation of a compromise. In addition, the organization may wish to ensure that some of its staff are knowledgeable in the fields of computer and network forensics. A server administrator should follow the organizations policies and procedures for incident handling, and the incident response team should be contacted for guidance before the organization takes any action after a suspected or confirmed
http://pentestmag.com
Page 28
security compromise. Examples of steps commonly performed after discovering a successful compromise are as follows: Report the incident to the organizations computer incident response capability. Isolate the compromised systems or take other steps to contain the attack so that additional information can be collected. Consult expeditiously, as appropriate, with management, legal counsel, and law enforcement. Investigate similar 43 hosts to determine if the attacker also has compromised other systems. Analyze the intrusion, including: The current state of the server, starting with the most ephemeral data (e.g., current network connections, memory dump, files time stamps, logged in users) Modifications made to the servers software and configuration Modifications made to the data Tools or data left behind by the attacker System, intrusion detection, and firewall log files. Restore the server before redeploying it. Either install a clean version of the OS, ap plications, necessary patches, and server content; or restore the server from backups (this option can be more risky because the backups may have been made after the compromise, and restoring from a compromised backup may still allow the attacker access to the server). Disable unnecessary services. Apply all patches. Change all passwords (including on uncompromised hosts, if their passwords are believed to have been seen by the compromised server, or if the same passwords are used on other hosts). Reconfigure network security elements (e.g., firewall, router, IDPS) to provide additional protection and notification. Test the server to ensure security. Reconnect the server to the network. Monitor the server and network for signs that the attacker is attempting to access the server or network again. Document lessons learned. Based on the organizations policy and procedures, system administrators should decide whether to reOPEN 03/2013
install the OS of a compromised server or restore it from a backup. Factors that are often considered include the following: Level of access that the attacker gained (e.g., root, user, guest, system) Type of attacker (internal or external) Purpose of compromise (e.g., Web page defacement, illegal software repository, platform for other attacks, data exfiltration) Method used for the server compromise Actions of the attacker during and after the compromise (e.g., log files, intrusion detection reports) Duration of the compromise Extent of the compromise on the network (e.g., the number of hosts compromised) Results of consultation with management and legal counsel. The lower the level of access gained by the intruder and the more the server administrator understands about the attackers actions, the less risk there is in restoring from a backup and patching the vulnerability. For incidents in which there is less known about the attackers actions and/or in which the attacker gains high-level access, it is recommended that the OS, server software, and other applications be reinstalled from the manufacturers original distribution media and that the server data be restored only from a known good backup.
Management Summary
This section has been created mainly with the idea of answering the most common questions a manager could ask as far as Information Security is concerned. Its purpose is to explain in a brief, yet effective way why from a management point of view one would want to invest in securing the core Information Assets of the company, and the potential risks attached to cutting the Information Security budget. A lot of businesses (still) tend to ask the question why they should invest in information security, as sensitive data is backed up every day and in the event of an intrusion, virus outbreak or data corruption, data and business processes can be restored and brought back up in a matter of minutes. Whereas theoretically there is nothing wrong with this mode of thinking and the procedures that are in place do provide a certain degree of security, practice has shown time and time over again
http://pentestmag.com
Page 29
SOCIAL ENGINEERING
that the classic security methods such as virus scanner/backup/restore may not be enough to hold the fort. People still fail to realize that their Internet connectivity represents a big threat to the whole world if it is not properly secured; that there are hybrid code out there that will not only take out your network(s) and trash your data, but will also steal documents, passwords, etc; and that there are people out there that will try to enter your systems for whatever reason and damage your systems. A successful intrusion with the idea of purposefully causing damage to business could damage the image of the company and the brand name to no end. It may take minutes to recover your corrupted files, but it may take years to clear a name, or image. A simple defacement of the company web site will show the world how insecure it (and, subsequently your in-house systems) is/was, that proper security measures were not in place, and if it concerns an online shop, most of your clients will be afraid to use it anymore. Or imagine your company networks contributing to a worldwide, full-scale Distributed Denial Of Service (DDoS) attack, which will definitely get you in trouble and/or damage your reputation a lot. Just imagine being in a situation where your company systems are unknowingly attacking other businesses online, or successful penetrations in other companies are performed, using your networks! Another common management mistake is plain and simple, smugness. How many times have you heard phrases like: we have recently purchased a well known firewall product to protect our company network, we have server level content blocking software as well, our administrator is a certified security professional, or we think we are pretty dam secure, so why should we invest in further security measures?. Security is a never ending process that requires constant monitoring, updates, investment, research and implementation of new technologies; not forgetting the most important point: education of staff. Because no matter the amount of money you are prepared to spend, and no matter the technologies involved, the secret lies within the individual who configures your security system(s). Internet can be a very beneficial resource to your business, however it brings certain risks with it. For the best possible results you will probably need to employ full-time specialists taking care of your (IT) security, thus ensuring you are capitalizing the
OPEN 03/2013
benefits of the Internet, while having your critical data reasonably secured. It is to hope that by now any company manager has enough background information to be able to ask the right questions to their security products vendor, or the security consulting company building and developing their security solutions. I cannot stress enough, on the other hand, the importance of getting your company executives familiarized with all the risks posed by their Internet connectivity and other (IT) security issues; the clearer top company executives and decision makers are on the whole situation from a security point of view, the sooner and quicker an effective IT security policy/strategy will be in place!
Conclusion
The aim of this paper is to explore the process of building and implementing an successful Information Security Policy in detail, as well as giving various recommendations for the development of a Security Awareness Course. The security within any organization starts with building a Security Policy, a centralized, evolving document defining what is allowed and what is not. Along with what I hope to be large amounts of useful information, I have provided you with some ready-made Best Practices sections on various security threats, as well as a sample Security Newsletter in order to save you valuable time and resources. The implementation process requires constant monitoring of Internet Threats, along with the measurement of staff knowledge and awareness levels to ensure that there is a continuous improvement in their level of knowledge and security awareness.
Information Security Officer at Syniverse Technologies Managing Security with Regulatory bodies(Telecom Regulatory Authority of India), DoT (Department of Telecommunications) & TEC (Telecommunications Engineering Center) Intelligence Bureau, Department Of Police, Involved in information Security, vulnerability assessment and Penetration Testing. Certified Ethical Hacker.(CEH), EC-Council Certified Security Analyst (ECSA).Applied for LPT (Licensed Penetration Tester), Done Training in Computer Hacking Forensic Investigator (CHFI) .
http://pentestmag.com
Prashant Mishra
Page 30
650
scaling to enterprise level
www.titania.com
T: +44 (0) 1905 888785
Running Head
Penetration Test Results Reporting
Upon completion of a penetration test, all of the information collected must be neatly entered into the after-actions, results report. Since this document is the only tangible, deliverable element supplied to the customer, it should appear professional, well organized, and clearly detail and explain what was uncovered during the penetration test. This article will examine methods and best practices of the reporting stage of a penetration test. The target audience of this paper is penetration testers who wish to improve their report writing skills.
t the conclusion of a penetration test, all of the data collected must be massaged into useful data, upon which the customer can act. The purpose behind a penetration test may differ, but one constant of penetration testing is the requirement for meticulous documentation, recording each step, collecting information as you go, entering said data into a report, and delivering it to the customer. This phase of the penetration test is sometimes seen as an afterthought, but this is the hands-on product you deliver to the customer, it is vitally important that scrupulous attention to detail be given to constructing and delivery of, a well-polished final product. Writing the results report may not be as glamorous or exciting as actually performing the technical portion of the test, but in many respects, it is the most critical task a penetration tester performs because it allows the customer to see what you have actually done. The results report is essentially your way of showing the customer what you have done. They have no way of knowing that you spent long nights plugging away at their systems if you have no way of demonstrating it it is your evidence that a penetration test has been conducted. You owe it to the people who are paying you to deliver a professional final product. The final reOPEN 03/2013
port demonstrates your competence, illustrates the amount of work you put into the test, and gives the customer a way forward, after all the test is supposed to highlight issues with their security. A professional, well-written report can impress your customer and win repeat business, and lead to word-of-mouth advertising a poorly written report could cost you future business with that customer and word could travel that youre services are not quite up to scratch.
There is an absolute plethora of materials written about the subject of penetration testing. Many of us have bowed bookshelves containing volumes on the subject and a massive Favorites folder dedicated to subject. There seems to be an unending well of excellent resources to draw technical tricks of the trade from, but there is very little written about one of the most important, time-consuming, and frustrating sections of the test the results report. It is understandable that sitting down to write the final report can be very dull when compared to the other aspects of the test, but considering its importance, it is vital that the report is written well. Penetration testing is a scientific process, and the
http://pentestmag.com
Page 32
http://pentestmag.com
part: the raw report, which includes everything, to include screenshots, dumps, scan results, etc. It is up to you if you include the raw data, but it should not hurt anything to add this as an appendix or separate document. Take for example the report structure in Figure 1. (PTEST-Reporting, Smith, 2011.), this is a pretty detailed tree of what could be expected in the executive summary and the technical report.
Example Report
The following is a sample of recommendations that should be included in the penetration test report, feel free to use what fits your needs: Cover Page (Figure 2) The cover page should contain the following elements: The name of the report Date Target organizations name Revision number Control number Classification Author of report
Page 34
Information Page The information page will contain much of the information found on the cover sheet, but will also include a history of revisions, name of document reviewer, name of document editor, penetration test team member names, contact information, and a legal notice. Table of Contents The table of contents lists the parts of the report in the order which they appear. Executive Summary The executive summary should be brief, and non-technical. The target audience of the executive summary is seniormanagement and other non-technical staff. Illustrations such as pie charts and graphs may be helpful. The following should be included in the executive summary section: Scope of Work / Test The scope of work/ test section should detail what the penetration test was limited to, i.e. network only, website only, etc. It should also detail what was off-limits, such as hardware, tape libraries, etc. Finally, the scope should detail
constraints, and problems encountered during the test, for example, if they were they asked to leave the building at certain hours. Type of test Spell out the type of test that was conducted, i.e. White-box, Black-box, Grey-box, and give a brief description of the test. Test Objectives The test objectives should detail why the test was conducted in the first place, such as the deployment of new hardware/software, annual inspection, etc. Timetable The timetable should detail start and stop times/dates, amount of manhours invested in the test, when phases of the test were conducted, etc. Summary of Findings In the summary of findings section, you want to give a quick snapshot of what is going on, to paint the picture of the organizations security posture. Consider using images (such as those in figures 3 and 4) to illustrate findings. Remember, this section is non-technical, senior-management does not care about the details, they want to know if their network is secure or not (Figure 3 and Figure 4).
Figure 5. Findings
Page 35
OPEN 03/2013
http://pentestmag.com
Other Considerations
Some vulnerabilities, if posing an immediate threat to the network, should be reported to the organization, and mitigated immediately. A penetration test is really designed to identify issues, not fix them on the spot, but there should be a point of contact within the organization to contact and report immediate findings to. If the issue is mitigated during the penetration test, it should still be documented in the report, if nothing else it will help to demonstrate to the customer the value to be gained from having a penetration test performed on their network.
References
CORE Impact Professional. Retrieved from: http://www.coresecurity.com/core-impact-pro The Information Systems Security Assessment Framework (ISSAF). Retrieved from: http://www.oissg.org/issaf The Open Source Security Testing Methodology Manual (OSSTMM). Retrieved from: http://www.isecom.org/research/osstmm.html The Open Web Application Security Project (OWASP). Retrieved from: https://www.owasp.org/index.php/Main_Page The Penetration Testing Execution Standard (PTES). Retrieved from: http://www.pentest-standard.org/index.php/ Main_Page Offensive Security Penetration Test Report. Retrieved from: http://www.offensive-security.com/penetration-testing-sample-report.pdf
OPEN 03/2013
Page 36
http://pentestmag.com
Coordinate with the customer to determine if they want sensitive or personally identifiable information (PII) sanitized from the final report. Also, ensure that the document is classified using the customers classification standards, so there is no confusion to the sensitivity of the document. Both hard and soft copies of the report should be carefully guarded and tracked. Hard copies should be signed for, and soft copies should be encrypted.
Conclusion
There is nothing sexy about writing the penetration test report, but it is arguably the most critical component of the entire process. Taking the time to assemble a high-quality and comprehensive final product is a way to demonstrate to the customer that you are a professional and that the greatest of care has been taken in testing their network. Essentially the report is what the customer is paying you for, so ensure that you are providing them with a document they can act upon when the testing is over. Taking the time to ensure this stage of the test is done well can win repeat business and grow the reputation of your company.
Terrance Stachowski is a defense contractor supporting the United States Air Force. He has fifteen years of IT experience, a M.S. in Cybersecurity from Bellevue University, and currently holds nineteen IT certifications, including the CISSP and L|PT. He specializes in IT Security, Penetration Testing, and Solaris Systems Engineering. He can be reached at terrance.ski@ skeletonkeyss.com.
OPEN 03/2013
Terrance Stachowski
http://pentestmag.com
Transforming Your
Tablet into Pentest Platform
As a penetration tester I always appreciate to work at any place. Thats a nice thing when you are working in IT industry. With my laptop I can be mobile when working on penetration testing. However, as probably many of you, I wanted more. So, Ive decided to transform my Nexus 7 into penetration testing platform. For base OS of my tablet, I picked Cyanogenmod 10 ROM and tools for various attacks, like MiTM, network discovery and port/ vulnerability scanning, packet capture, Web attacks, and many more.
can bet youve at least once wanted to be extra mobile and be able to do penetration testing out of office. Good news! Todays technology provides high-quality, cheap and fast solution to perform those tasks with Android tablets. In my case, I have 7 Asus Nexus 7 3G with 32GB of storage and four CPU cores, you must admit thats a quite nice device for penetration testing tasks. Nexus 7 is stocked with vanilla Android 4.2.1., but I wanted to have more customized tablet, so Ive installed CyanogenMod 10 ROM. Also, I have unlocked tablets bootloader, flashed current with custom recovery image and rooted it to have full permissions on device. I must warn you that with rooting device, youre going to be exposed to more security vulnerabilities, but youll have more control of your device, and be able to use penetration testing tools that require rooted device. Remember that with unlocking and rooting tablet, youre loosing device warranty, which only can be restored by reverting and installing original stock ROM. Android applications mentioned in this article can be downloaded from URLs at end of the article (Figure 1).
AOKP. In my case, I prefer first one. Connect tablet to your laptop or PC with USB cable, and enable USB debugging option in Android settings. Device must be in the bootloader mode, and in most tablets, you can enter in bootloader by switching off tablet, and power on by pressing power and volume up (or down). Simultaneously download CyanogenMod 10 from their official Web page. After that, download Android SDK package. Extract archive and in folder platform-tools you will find tools needed for flashing tablet (adb and fastboot). First thing we need to do is unlock bootloader, if its locked. Open your console and run fastboot with command ./fastboot oem unlock, wait few seconds and confirm unlock of bootloader. Have in mind that some devices dont
Your stock Android ROM is quite nice OS for mobile devices, but you can get more powerful device by installing custom ROMs such as CyanogenMod or
OPEN 03/2013
Page 38
have locked bootloader. After that, reboot your tablet and enter bootloader mode again. Now, for installing CyanogenMod we must have device with custom recovery. In my case, I used most popular ClockworkMod Recovery. Choose and download recovery for your device and install recovery image with command ./fastboot flash recovery nameofrecovery.img. After installing, dont forget to choose option to disable recovery flash, reboot device into recovery, and now you have custom recovery with extra options. Next thing, root your device. The easiest way to root tablet is SuperSU application, download it and transfer to root folder of device storage. Again, enter recovery mode, and install application by choosing option choose zip from sdcard, after that, you will find SuperSU zip file, install it by pressing power button. Okay, you have rooted device, lets profit from that. CyanogenMod will be installed in same way, transfer it to internal memory, and reboot into recovery mode. Now, choose next options by following order : Wipe cache, Wipe dalvik cache, Factory reset. After that, choose CyanogenMod zip and install it. You will need Google apps (they arent included in CyanogenMod), so pick right version for your ROM and download them. Transfer file to the device and install it as zip file. When youre done with installing Google apps, reboot to recovery and fix permissions and again reboot tablet. If you have slower tablet, on XDA forum you can find topics with mods about performance improvements. Now we have multi-user device with enough processing power and mobile software to be perfect solution for mobile penetration testing platform. For easier connectivity to the Internet, I recommend buying a tablet with a 3G module and bigger GSM data plan, at least 2 GB monthly. All applications used in this article are free. Were starting with applications for discovery and penetration testing of wireless networks, one of them is WiFinspect, great tool with abilities to test Access Points and internal/external networks. Also, it has feature to sniff networks, analyze captured .pcap file, host discovery and few more. With Apscan you can scan wireless networks around you, and it has ability to save AP list and sort and filter BSSIDs. WiFiKill application can disconnect clients from wireless network using Iptables, if you want to perform social engineering. Once youre connected to wireless network, you can capture traffic, and analyze it with Shark and SharkReader, sniffed traffic
OPEN 03/2013
can be later analyzed using Wireshark. When we talk about MiTM attacks, one of the classic applications for capturing sessions with cookies from other users on wireless networks is DroidSheep. Also, it has features to manipulate and save cookies. Android have its version for attacking SSL protocol as well SSLStrip, which requires rooted device. LanDroid is must have application with features such as Ping, Whois, Dig, NSlookup, IPLookup, Traceroute, PortScan, MAC lookup, WakeOnLan, and many more. dSploit is by the author network analysis and penetration suite, ready for various MiTM attacks, it comes with Port Scanner, Inspector, Vulnerability Finder, Login Cracker and other features for performing penetration testing. I must also mention Fing, application for network discovery with great interface and abilities, one of my favorite. Every penetration tester must have Android version of Nmap and Nikto Scanner. Good thing with Web vulnerability scanners is the fact that most of them have Web interface to control them, for example, Metasploit. One of most popular Web vulnerability scanners, Nessus have official application to control your Nessus server. Theres also proxy application for Android, SandroProxy, it can Capture, intercept, analyze, modify, replay http requests and its based on WebScarab. ProxyDroid is similar application, which can use for example existing Burp Suite server on your laptop and proxy all device traffic (Figure 2 and Figure 3).
Productivity
Its impossible to complete penetration tests without tools for everyday tasks. To be more productive while typing on tablet, you must have full qwerty layout, so I recommend Hackers Keyboard. Well assume that every penetration tester must have terminal, and Android Terminal Emulator is as the name said terminal emulator. Its not rare to work-
Figure 2. Fing
http://pentestmag.com
Page 39
http://forum.xda-developers.com/showthread.php WiFinspect ?t=1282900 WifiKill https://play.google.com/store/apps/detail http://www.1mobile.com/nikto-droid-306934.html s?id=uk.co.opticiancms.wifiprobe Nikto Droid https://secwiki.org/w/Nmap/Android Nmap http://www.dsploit.net/ dSploit http://dl.google.com/android/android-sdk_r21.1linux.tgz Android SDK http://get.cm CyanogenMod http://www.clockworkmod.com/rommanager Clock Work Mod http://goo.im/gapps Google Apps http://forum.xda-developers.com/showthread.php?p =38643545 XDA thread about Performance boosting http://forum.xda-developers.com/showthread.php ?t=1933837 XDA thread about Performance tweaking
I think its easier to scan QR code and install applications directly from Google Play than copy/paste link in browser, so bellow youll find QR codes of applications used in the article.
Summary
Now you have fast, extra mobile and productive platform to work on. I mentioned very few applications for penetration testing, there are many more applications, mostly paid, but this free applications cover almost complete basic penetration test methodology. Its very important to secure your tablet from loosing it, and one of best practices is to use PIN or password method on screen lock in combination with anti-theft tools (remote storage wiping on stolen device). With above described Android applications you can make huge part of penetration testing, from testing wireless networks, MiTM attacks, local networks, Web applications testing with features to proxy HTTP requests.
Domagoj Vrataric is IT Security Manager at Aduro Ideja, a company from Croatia who offer software solutions for telecom industry, high volume data processing, real-time systems and penetration testing services. He has experience with penetration testing (OWASP methodology), mostly in telecommunication industry, eCommerce (osCommerce, ZenCart, OpenCart) and media industry. 10 years experience with Linux, 8 with IT security, knowledge about hackers culture and way of thinking. He is currently involved in penetration testing and project manager on few security projects. Additionally in charge of security in our company, from monitoring IT infrastructure, administration of Debian servers, security policies on computers and mobile phones.
http://pentestmag.com
Figure 3. Nessus
Domagoj Vrataric
Page 40
APScan
https://play.google.com/store/apps/details?id=jerzy.cow.code.APscan
Fing
https://play.google.com/store/apps/details?id=com.overlook.android.fing
Shark
https://play.google.com/store/apps/details?id=lv.n3o.shark
Hackers Keyboard
https://play.google.com/store/apps/details?id=org.pocketworkstation.pckeyboard
Shark reader
https://play.google.com/store/apps/details?id=lv.n3o.sharkreader
ConnectBot
https://play.google.com/store/apps/details?id=org.connectbot
SSLStrip
https://play.google.com/store/apps/details?id=com.crazyricky.androidsslstrip
OfficeSuite Viewer
https://play.google.com/store/apps/details?id=com.mobisystems.office
LanDroid
https://play.google.com/store/apps/details?id=net.fidanov.landroid
Cryptonite
https://play.google.com/store/apps/details?id=csh.cryptonite
Nessus
https://play.google.com/store/apps/details?id=com.tenable
https://play.google.com/store/apps/details?id=com.metago.astro
SandroProxy
https://play.google.com/store/apps/details?id=org.sandroproxy
ProxyDroid
https://play.google.com/store/apps/details?id=org.proxydroid
OPEN 03/2013
Page 41
http://pentestmag.com
Homeland Security
Reducing the Threat from Attacks
This article is written to describe the changes being made in the Homeland Security activities for new software in development, and how they are improving our overall security. The reader may also find which activities can fit into their Software Development Lifecycle (SDLC) programs to further benefit other organizations as well. This is not an offensive approach to Cyber Security, but an improved defensive approach.
very day the United States Government is subject to cyber-attacks which threaten the lives of citizens and agency missions. Threat agents include other countries, citizens of the United States, and organized crime (to name a few). The US Department of Homeland Security has the responsibility of protecting Federal systems and supporting other agencies of the US Government with protecting information and reporting cyber incidents. The actual source of the attacks is usually unpredictable (it would certainly make it easier if they would announce their intentions in advance), though most have similar objectives, to get the information that organizations are trying to protect. Attacks on information systems can be easily spoofed, thereby making the source IP address a non-reliable source of the connection. Open source projects such as the TOR network, bot nets, and other infected resources make investigations more challenging [1]. At present, most Federal agencies approach securing the homeland through defensive measures which are largely reactionary. The lack of proactive measures places these agencies in a losing battle. Attempting to identify the source of an attack is not trivial, as attacks are generally carried out by systems that have been compromised. UltimateOPEN 03/2013
ly, the source of the problem is insecure software. As such, agencies can better protect their systems by building security into their software [2]. Although a wealth of information exists to support building better software (see Microsofts SDL or Cigitals Software Security Touchpoints), most organizations encounter problems when trying to transition from theory to practice.
Congress passed the E-Government Act of 2002 to address the lack of security within Federal information systems. Title III of the E-Government Act, the Federal Information Security Management Act (FISMA), was designed to promote responsibility for security through mandate. FISMA mandates that organizations report their security posture as measured by standards published by the National Institute of Standards and Technology (NIST). The security standards identify a minimum set of security requirements for information and information systems. The result is the development of a process drawing on security requirements that falls short in terms of defining how organizations can implement these standards, as well as how each organization can measure the effectiveness of their programs.
http://pentestmag.com
Page 42
FISMA is grounded in following processes and demonstrating compliance with checklists. Unfortunately, FISMA fails to offer the organizations the value of improving the overall security of their systems as FISMA focuses the government on processes and reporting which competes for security funding, usually to the detriment of actual security operations. FISMA identifies the classification of federal systems as Low, Moderate, or High vis a vis FIPS publication 199 [3]. FIPS 199 defines the standards for Security Categorization of Federal Information and Information Systems. Depending on the identified classification of systems, FISMA relies on NIST special publication 800-53 [4] which proscribes an increasingly restrictive set of security controls depending on the classification of federal systems. The intent of this publication is to allow the security practitioner to customize controls which are related to the system and the security classification. Using the NIST 800-53 controls, the organization is able to better classify the security issues, and activities needed to obtain accreditation for use. Unfortunately, one of the major drawbacks of NIST 800-53 is the failure to bridge information security theory with information security practice.
discovered (remember, the pen test only covers a small percentage of the codebase). For this reason, we can state that pen testing is not enough. The rule of thumb is that a pen test will only tell you how bad your code is, not how good. As a result, the pen test is really a badness-ometer.
Is Pentesting Enough?
Pen Testing the environment is often used as the primary means of determining the security of systems. A drawback of using penetration testing as a sole mechanism for securing systems lies in the late stage of SDLC where testing occurs. Because penetration testing occurs once a system is production ready, the earlier stages of the SDLC are often overlooked (for example sometime after code is running, a decision is generally made to run a Pen Test; exactly what is being tested is not necessarily clear.) Another issue with pen testing relates to the level of systems coverage. At Cigital, we have found that the Pen Test exercise covers only a small fraction of the actual codebase. For this reason, Cigital refers to Pen Tests as being a Badness-ometer. For example, when a pen test is performed on a system and several findings are discovered, the system is clearly insecure. However, if a pen test is performed and no findings are discovered, does this mean that the system is secure? Most likely the answer is no. Just because a security practitioner did not discover a vulnerability, the system may still have vulnerabilities which have not been
OPEN 03/2013
The traditional approach to cyber security has been reactive. The traditional approach is mired in an improper interpretation of Defense in Depth. Systems and networks are hardened at the perimeter of the network and include a multitude of tools which operate as filters throughout the cyber infrastructure. We like to call this the M&M defense (hard on the outside, and soft in the center). The underlying assumption is that adding more and more security products and services will inevitably reduce the attack surface and eradicate risk. One of the problems with securing the perimeter lies in the faulty assumption that networks have boundaries which can be defined. With the rise of cloud and mobile computing, the security team is left scratching their heads with respect to where the boundaries are and how to define them. When you boil down the challenge, the least common denominator falls on the assurance of the software and software applications. Simply put, if you can establish an assurance level for deployed software, you will better understand where your weaknesses lie. This has been a resounding within organizations and the number one reason that Cigital was called upon by DHS to assist in the deployment of Static Analysis tools and the development of the Build Security In initiative.
Page 43
Figure 3. Cigitals Software Development Life Cycle (SDLC) with Security Related activities
OPEN 03/2013 Page 44
http://pentestmag.com
The higher expense is usually incurred by detecting vulnerabilities late in the development process. Consider the Figure 3. This figure presents the SDLC as indicated by the boxes and provides security Touchpoints for how security can be introduced at various stages of the SDLC. As you can see, we have inserted Security activities in each of the SDLC phases (you can read about these exercises and the security touch points in Software Security by Gary McGraw) (While our figure is more representative of a waterfall approach, the iterative SDLC process can adopt it easily) [5]. Many times the overall size of the architecture and complexity of the environment can only be evaluated after the initial development or deployment has already been made. While employing the security controls for an application has been known to be accomplished after the design is completed, continuing to scrutinize the security of an environment after the implementation of the system is completed is a kin to trying to bolt security on top of the environment (as opposed to creating it inside the application). (McGraw)
This is not to say that we should stop using FISMA or halt the use of Pen Testing activities at all, because these activities are essential to determining the correct implementation of security in the enterprise. However, changing or augmenting the traditional testing during the SDLC has been shown to improve the security of the application, as well as help to fix the security posture of the application before it reaches production. Cigital has taken a different approach to Software Security; we recommend the implementation of security directly into the software. This approach enables the developers to be an active part of the active security team. The chart in Figure 3 looks at the development of new software and how security related activities are always a part of the Software Development Life Cycle (SDLC). As we can see from Figure 3, the actual introduction of Pen Testing is far to the right of the SDLC, very near the production phase. This is very late in the SDLC process and also complicates the updates for the software to implement better security into the software.
http://pentestmag.com
Code Review
Here are some of the code review functions which Cigital is providing to its clients, as well as to the Department of Homeland Security (and other government agencies within it as well). This explains why the cost of fixing bugs is so costly in the Testing phase, Figure 2. Figure 4 outlines three different activities which Homeland Security has undertaken as part of their new understanding of security development. The three activities listed above include: SecureAssist Secure Coding Guidance (training the developers) Static Analysis Dynamic Analysis Binary Analysis [6] We can easily see that the cost of fixing vulnerabilities is significantly lower the further left we are in the development process. This is what we are discussing when we say that we want to enable the developers to become more proactive for fixing security issues. Since the developers already have the software on their desktop, they are the best choice to make the changes, before bugs are introduced into the software. SecureAssist Secure Coding Guidance is a plugin that is provided to the developers Integrated Development Environment (IDE). SecureAssist changes the security stance from reactive remediation to proactive security. Instead of focusing on new ways to find bugs already in the code base organizations should provide developers with the guidance they need to build expertise and to PREVENT bugs from entering the code base. One of the best things about the SecureAssist plugin is that it does not require access to running code or code that compiles completely. It actually supports the developer working on the file(s) that the developer has access to, and works in realtime, compared to other testing activities. This tool examines one or more files or the complete project as well. Static Analysis code review is usually performed after the project has succeeded in producing code
OPEN 03/2013
Page 46
[1] Some solutions exist to block entire countries; however this does not stop attacks from compromised hosts within your own country. [2] http://www.cigital.com/products/the-building-security-in-maturity-model-bsimm/ [3] http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf [4] NIST is currently requesting updates on revision 4 for the 880-53 control set. You can add comment to the security and privacy controls update at http://www.nist.gov/itl/csd/sp800-020613.cfm [5] While our figure is more representative of a waterfall approach, the iterative SDLC process can adopt it easily. [6] While Binary Analysis is not part of the diagram, it can be a useful component of testing. [7] Cigital has a unique presence in the Static Analysis environment with the creation of the first Static Analysis tool ITS4. After Cigital sold the license of the ITS4 to an investment group, the tool was later acquired by HP and is now known as HP Fortify. [8] Usually available via a web server. [9] You can use a Tool, or Manual examination to perform a Pen Test.
References
Works Cited
BSIMM. (n.d.). http://bsimm.com/ DHS. (n.d.). http://www.dhs.gov/ FISMA. (n.d.). http://csrc.nist.gov/drivers/documents/FISMA-final.pdf. FISMA McGraw, G. (n.d.). Software Security Building Security In. Addison-Wesley Software Security Series NIST. (n.d.). NIST 800-53 revision 3 controls. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
another resource or is developed outside of the controls that the organization has put into place. Binary Analysis is useful in examining resources which cannot be reviewed with static or dynamic analysis. Because Homeland Security activities are dependent on the security of the organization from hackers, the largest areas of activity for attacks are seen coming from network (internet/intranet) connected resources. These systems are hosted by Private Enterprise solutions, insuring that 50% of the Security issues are related to the Architecture, and 50% are related to the software within. As we can see, there are detailed activities and controls which have been developed to support the security of the network and architecture overall. That leaves us with 50% of the environment to work on, the software to improve its security.
view of the security for private corporations, it can also be easily engaged to determine the posture of different departments within Homeland Security. Cigital Federal is currently the provider of Software Security Consulting and Training for the Dept. of Homeland Security (DHS) as well as other Government agencies. Using Cigitals 20+ Years of Software Security experience, Cigital Federal is delivering Consulting, Instruction, Products, Analysis and Processes to insure that better Software Security is achieved wherever it is needed. Whether your needs are securing Homeland Security, a bank, a utility or another organization Cigital has the processes and resources to improve your organizational security.
BSIMM
As I mentioned earlier, the BSIMM model is currently helping organizations to describe the activities that they are currently employing, which begins to outline the holes that remain in order to improve the overall security of the environment (Figure 5). BSIMM is a descriptive process used to determine the current commitment of the organization for the security program. The example above indicates the overall posture of 51 organizations that are committed to improving the overall security within their organizations. While this outline is a reOPEN 03/2013
Albert Whale is a Security Consultant with Cigital Federal in Sterling, VA. Albert resides in Pittsburgh, PA with his wife and three children (three others have escaped already). He has 28 years of Professional experience having worked in Application Development, Systems Engineering, Network Security and Application Security. Albert is the past President and Co-Founder of the Pittsburgh FBI InfraGard, and has been active in the Security field since 9/11. Email: awhale@Cigital.com, LinkedIn: http://www.linkedin.com/in/aewhale, Skype: aewhale
http://pentestmag.com
Albert Whale
Page 47
a: its Priceless.
Not stillness, not tranquility but the serenity to do business online, as one should unmolested. The site is built and launched, it has started making noise on the marketplace. Web servers are gently humming to the tune of orders ringing in, customers chirping, and purposefulness fullled. Life is good, not a cloud in the sky just the daily, most welcome laborious bustle for earned reward, recognition and ever-growing customer satisfaction leading to loyalty and repeat orders. Word of mouth is youre getting to be one of the best!
GO ON, READ THE REST OF THE STORY...