Professional Documents
Culture Documents
INFOSEK2010 Presentation Penetration Test Example
INFOSEK2010 Presentation Penetration Test Example
INFOSEK2010 Presentation Penetration Test Example
Overview
What is penetration testing Penetration testing vs Vulnerability Assessment Pen-Test process and Constraints Pen-Test Simulation Demo Results Conclusions
>/dev/null
This presentation shows how to penetrate a production system This presentation proves that no one can attack us with any success This presentation proves that pen-tests are useless
>/dev/null
WHY iS THIS GUY TALKING ABOUT A PENETRATION TEST IN 2010 More and more organizations plan or organize a pen-test They expect relevant results Once they choose a pen-test team, they grant them nearly infinite trust
Pen-Test Constraints
Scope what is the scope of the pen-test attack one network, one type of service Targets the number and type of targets is usually unknown to the pen-testers (black box/gray box) Activity logging all activities need to be logged, with relevant time stamp. All observations need to be documented. Findings each penetrated host should be analyzed for installed applications, services, accounts etc. Time Limit total pen-test time is always limited. All activities need to be performed in the time constraints agreed with the target
Simulation objectives
Perform a comprehensive penetration test - Penetrate as many targets as possible Information about environment none available black box attack Extenuating configuration the attacker is already on the same LAN as the targets Vectors of attack use any vector available on the targets Tools use any available tools at disposal Final criteria of success obtain document stored on a host behind a multihomed host Time limit 8 hours for the total pen-test
Simulation Environment
Pen-Test Tools
Attack tools readily available
Backtrack 4 Nessus Core Impact Education License
Additional tools
OWASP Live CD Samurai OpenVAS
Pen-Test Approach
Team 3,4 and 5 focusing on automated tools. Documenting partially in standard format Team 5 going very slow and systematic. Documenting in standard format Team2 choosing additional tools. Documenting in non-standard format
Start + 1h
Team Team 1 Team 2 Team 3 Team 4 Team 5 Activity focuses on documenting the scanned results, no attack so far attacks soft targets one by one and performs detailed scans on them uses automated tools to attack soft targets uses automated tools to attack soft targets uses automated tools to attack soft targets Result / Target 1 compromised Target 1 compromised / /
Start + 3h
Team Team 1 Team 2 Activity attacks all targets simultaneously with automated tools attacks soft targets one by one and performs detailed scans on them uses automated tools to attack soft targets uses automated tools to attack soft targets uses automated tools to attack soft targets Result / Target 1 and Target 2 compromised Target 1 compromised Target 1 compromised Target 1 compromised
Start + 6h
Team Team 1 Activity attacks remaining targets simultaneously with automated tools. No attempt at web services Connects to target 3 to scan target 5 uses automated tools to attack target 3. In parallel, attacks target 3 via Web portal vulnerabilities uses automated tools to attack target 3 uses automated tools to attack target 3 Result Target 1 and 2 penetrated, Target 1, 2 and 3 penetrated Target 1, 2 penetrated Target 1 and 2 penetrated Target 1 and 2 penetrated
Team 2 Team 3
Team 4 Team 5
End - Start + 8h
Team Team 1 Activity Abandoned all hope Result Target 1 and 2 penetrated, abandoned all further attempts Target 1, 2, 3 and 5 penetrated Trophy discovered Target 1, 2, 3 and 5 penetrated Target 1 and 2 penetrated Target 1 and 2 penetrated
Team 2
Continued to attack the linux host with automated scripts, completely ignoring the additional information from scanning Penetrated in the hidden network host Dabbling at target 3 with Web portal vulnerabilities Dabbling at target 3 with Web portal vulnerabilities
Process Demos
>/dev/null
Results
Everyone went after the soft targets first, and wasted most of the time on them Most teams used extremely noisy scans No team followed the process through the entire time frame 1 Team wasted time trying new tools which proved inferior to the default toolset No team produced meaningful documentation and evidence of its activities Most teams focused on automated tools and ignored other vulnerabilities If this was a real pen-test, all teams would be sued for malpractice
Thank you
Bozidar Spirovski
spirovski.b@shortinfosec.net http://www.shortinfosec.net