Penetration Test Example

Errors in the process and avoiding them

Overview
What is penetration testing Penetration testing vs Vulnerability Assessment Pen-Test process and Constraints Pen-Test Simulation Demo Results Conclusions

>/dev/null
This presentation shows how to penetrate a production system This presentation proves that no one can attack us with any success This presentation proves that pen-tests are useless

>/dev/null

Never underestimate the power of ****** people in large numbers

What is Penetration Testing?

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. Wikipedia

WHY iS THIS GUY TALKING ABOUT A PENETRATION TEST IN 2010 More and more organizations plan or organize a pen-test They expect relevant results Once they choose a pen-test team, they grant them nearly infinite trust

A pen test needs to be prepared and execute with outmost excellence

Penetration Testing vs Vulnerability Assessment?

Vulnerability Assessment: Typically is general in scope and includes a large assessment. Predictable. ( I know when those Security guys scan us.) Unreliable at times and high rate of false positives. (Ive got a banner) Vulnerability assessment invites debate among System Admins. Produces a report with mitigation guidelines and action items. Penetration Testing: Focused in scope and may include targeted attempts to exploit specific vectors (Both IT and Physical) Unpredictable by the recipient. (Dont know the how? and when?) Highly accurate and reliable. (Ive got root!) Penetration Testing = Proof of Concept against vulnerabilities. Produces a binary result: Either the team owned you, or they didn't.

The process of Pen-test

Looks simple enough Reconnaissance - passive information gathering, collect information that is available in publicly accessible locations Scanning and Enumeration - moving from passive to active information gathering. Scanning is attempting to connect to systems and gather more in-depth information about the targets Gaining Access using identified vulnerabilities to gain access to system. So far, the attacker has only looked at your house, and knocked on you door. Now he kicks it in. Escalation of privilege - just having the access of an average user doesnt get you far. The attacker will attempt to escalate him/herself to administrator or root privilege Maintaining Access - Once in, the attacker wants to stay in. Obtaining password files, or placing rootkits or backdoors is the usual method Covering tracks Once the cat is out of the bag, a lot of people will start looking for the attacker. And the less evidence he left, the smaller the chance of him being discovered. This will include deleting Logs, tampering with accounts, even compromising a file system.

Pen-Test Constraints
Scope what is the scope of the pen-test attack one network, one type of service Targets the number and type of targets is usually unknown to the pen-testers (black box/gray box) Activity logging all activities need to be logged, with relevant time stamp. All observations need to be documented. Findings each penetrated host should be analyzed for installed applications, services, accounts etc. Time Limit total pen-test time is always limited. All activities need to be performed in the time constraints agreed with the target

Simulation objectives
Perform a comprehensive penetration test - Penetrate as many targets as possible Information about environment none available black box attack Extenuating configuration the attacker is already on the same LAN as the targets Vectors of attack use any vector available on the targets Tools use any available tools at disposal Final criteria of success obtain document stored on a host behind a multihomed host Time limit 8 hours for the total pen-test

Simulation Environment

The Pen-Testing teams

5 independent pen-tester teams various level of knowledge and experience coming from:
Industry Finance Law enforcement Public sector

Pen-Test Tools
Attack tools readily available
Backtrack 4 Nessus Core Impact Education License

Additional tools
OWASP Live CD Samurai OpenVAS

Pen-Test Approach
Team 3,4 and 5 focusing on automated tools. Documenting partially in standard format Team 5 going very slow and systematic. Documenting in standard format Team2 choosing additional tools. Documenting in non-standard format

Start + 1h
Team Team 1 Team 2 Team 3 Team 4 Team 5 Activity focuses on documenting the scanned results, no attack so far attacks soft targets one by one and performs detailed scans on them uses automated tools to attack soft targets uses automated tools to attack soft targets uses automated tools to attack soft targets Result / Target 1 compromised Target 1 compromised / /

Start + 3h
Team Team 1 Team 2 Activity attacks all targets simultaneously with automated tools attacks soft targets one by one and performs detailed scans on them uses automated tools to attack soft targets uses automated tools to attack soft targets uses automated tools to attack soft targets Result / Target 1 and Target 2 compromised Target 1 compromised Target 1 compromised Target 1 compromised

Team 3 Team 4 Team 5

Start + 6h
Team Team 1 Activity attacks remaining targets simultaneously with automated tools. No attempt at web services Connects to target 3 to scan target 5 uses automated tools to attack target 3. In parallel, attacks target 3 via Web portal vulnerabilities uses automated tools to attack target 3 uses automated tools to attack target 3 Result Target 1 and 2 penetrated, Target 1, 2 and 3 penetrated Target 1, 2 penetrated Target 1 and 2 penetrated Target 1 and 2 penetrated

Team 2 Team 3

Team 4 Team 5

End - Start + 8h
Team Team 1 Activity Abandoned all hope Result Target 1 and 2 penetrated, abandoned all further attempts Target 1, 2, 3 and 5 penetrated Trophy discovered Target 1, 2, 3 and 5 penetrated Target 1 and 2 penetrated Target 1 and 2 penetrated

Team 2

Continued to attack the linux host with automated scripts, completely ignoring the additional information from scanning Penetrated in the hidden network host Dabbling at target 3 with Web portal vulnerabilities Dabbling at target 3 with Web portal vulnerabilities

Team 3 Team 4 Team 5

Process Demos

>/dev/null

Never underestimate the power of ****** people in large numbers

Results
Everyone went after the soft targets first, and wasted most of the time on them Most teams used extremely noisy scans No team followed the process through the entire time frame 1 Team wasted time trying new tools which proved inferior to the default toolset No team produced meaningful documentation and evidence of its activities Most teams focused on automated tools and ignored other vulnerabilities If this was a real pen-test, all teams would be sued for malpractice

Conclusions for aspiring pen-testers

Pen-test training does not make you a pen-tester Know your weapons a pen-test is not a good time to try out new tools. Understand each of your tools, abilities and limitations Organize your time A lot of things need to be performed in a limited time frame. Plan ahead, based on the initial conclusions. Have a fallback plan if things get too complicated at one step, have a plan B, and a plan C. Do not rely only on automatics - Output of the automated tools can confuse you. Think about the results, and verify them before proceeding Document everything - Use screen recording tool if needed Second opinion have a second team member sifting through the results of scans, to properly identify exploitable vulnerabilities Get a lot of practice before going commercial

Conclusions for organizations

Require references (as much as it is Require a very detailed plan execution plan Require a sample report of their lab environment Interview the pen-test teams (at least the lead person)

To start off the discussion

Was this a simulation or a real catastrophic pentest This simulation was part of a comprehensive security training. Which goes to show that training will not make you a pen-tester

Where can we get the tools? Google is your friend

Thank you
Bozidar Spirovski
spirovski.b@shortinfosec.net http://www.shortinfosec.net