Penetration Testing and Fuzzing. John Slankas

Transcription

1 Penetration Testing and Fuzzing John Slankas Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security

2 Penetration Testing aka Ethical Hacking Art of testing a running application remotely to find vulnerabilities Works extremely well for networks and operating systems Mixed results for applications Web applications are generally bespoke (made to order) Becomes more of a research effort Advantages Tests exposed code If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don t have a very bad problem. - Gary McGraw Lower skill set needed than for reviews Disadvantages Front impact testing only Late in the SDLC

3 Penetration Testing: A Professional s View Source: Coursera Software Security by Michael Hicks (Maryland), softwaresec/lecture_slides/pen-testing.pdf

4 Penetration Testing: A Professional s View Source: Coursera Software Security by Michael Hicks (Maryland), softwaresec/lecture_slides/pen-testing.pdf

5 Penetration Tester versus Hacker Pen Tester s have prior approval from Senior Management Hackers have prior approval from themselves. Pen Tester s social engineering attacks are there to raise awareness Hackers social engineering attacks are there to trick the DMV into divulging sensitive information about the whereabouts of their estranged ex-spouse This course is not a license to hack. The instructor has no get out of jail card for you.

6 Types of Penetration Testing Targeted Recon. Targeted exploitation of vulnerable software. Social Engineering Hi HelpDesk I m Mr. Jones Can you tell me what my password is? Physical facilities audit Hmm, I forgot my badge... but there's 200 yards of fence missing on the east side of the center Wireless War Driving Detection of rogue or weakly encrypted AP s. Dumpster Diving How much fun can I have in the dumpster whoops I ve found someone s Tax forms with SSN. Ernest Lopez & Matt Linton, NASA Penetration Testing and Vulnerability Assesment, August 2010

7 Penetration Testing Who needs it? Banks, Financial Organizations -> regulatory Requirements PCI Data Security Standard's Section 11.3 requires organizations to perform application and penetration tests at least once a year. HIPAA Security Rule's section 8 of the Administrative Safeguards requires security process audits, periodic vulnerability analysis and penetration testing U.S. Federal Government Federal Information Security Management Act

8 Why Do Penetration Testing? Ensure system security Compliance Active pen-testing teaches you things that security planning will not What are the vulnerability scanners missing? Are your users and system administrators actually following their own policies? host that claims one thing in security plan but it totally different in reality Audit Physical Security Just what is in that building no one ever goes in? The strongest network based protections are useless if there is a accessible unlocked terminal, unlocked tape vault, etc. Raises security awareness Helps identify weakness that may be leveraged by insider threat or accidental exposure. Provides Senior Management a realistic view of their security posture Great tool to advocate for more funding to mitigate flaws discovered If I can break into it, so could someone else! Ernest Lopez & Matt Linton, NASA Penetration Testing and Vulnerability Assesment, August 2010

9 Penetration Testing: Two Primary Phases Information gathering Understand environment and the application Determine access points, inputs Methodically test across a variety of controls Configuration and deployment management Identity, authentication, authorization session management Input validation Error handling Cryptography Business logic Client side evaluation Plan Discover Attack Report

10 Planning Penetration Test may be included in a scheduled audit or independently May be announced or unannounced Define the scope and rules of engagement Who performs?

11 Information Gathering Goal: discover as much information about the system under evaluation Methods WHOIS Network Enumeration and Scanning Google Searching and Hacking Website browsing Social Media

12 Information Gathering Discovery Phase Footprinting Gather Initial Information Determine the Network Range Port Scanning nmap ping traceroute netcat Enumerating whois nslookup Identify Active Machines Discover Open Ports and Access Points Fingerprint the Operating System Uncover Services on Ports Map the Network

13 Information Gathering: Network Enumeration/Scanning Online Network Tools Other tools nmap traceroute

14 Information Gathering: WHOIS Domain Name: NCSU.EDU Technical Contact: Registrant: North Carolina State University 2114 Avent Ferry Road Raleigh, NC UNITED STATES Administrative Contact: HostMaster North Carolina State University Campus Box Avent Ferry Road Raleigh, NC UNITED STATES (919) Support North Carolina State University - ComTech 2114 Avent Ferry Road Box 7208 Raleigh, NC UNITED STATES (919) support@ncstate.net Name Servers: ED11.DDI.NCSU.EDU ED21.DDI.NCSU.EDU ED31.DDI.NCSU.EDU Domain record activated: 16-Apr-1987 Domain record last updated: 15-Nov-2012 Domain expires: 31-Jul-2016

15 nmap nmap p recommender.oscar.ncsu.edu Nmap scan report for recommender.oscar.ncsu.edu ( ) Host is up (0.0019s latency). Not shown: filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 7878/tcp open unknown 27017/tcp open mongod Nmap done: 1 IP address (1 host up) scanned in seconds

16 nmap nmap -sn /24 Starting Nmap 6.49BETA4 ( ) at :07 EST Nmap scan report for Host is up ( s latency). MAC Address: 0A:00:27:00:00:00 (Unknown) Nmap scan report for Host is up ( s latency). MAC Address: 08:00:27:79:38:01 (Cadmus Computer Systems) Nmap scan report for Host is up ( s latency). MAC Address: 08:00:27:D9:03:08 (Cadmus Computer Systems) Nmap scan report for Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in seconds

17 nmap nmap -ss /24 Starting Nmap 6.49BETA4 ( ) at :08 EST Nmap scan report for Host is up ( s latency). Not shown: 995 filtered ports PORT 135/tcp 139/tcp 445/tcp STATE SERVICE open msrpc open netbios-ssn open microsoft-ds 8009/tcp open ajp /tcp open http-proxy MAC Address: 0A:00:27:00:00:00 (Unknown) Nmap scan report for Host is ports on are filtereup ( s latency). All 1000 scanned d MAC Address: 08:00:27:79:38:01 (Cadmus Computer Systems) Nmap scan report for Host is up ( s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 9200/tcp open wap-wsp MAC Address: 08:00:27:D9:03:08 (Cadmus Computer Systems) Nmap scan report for Host is up ( s latency). All 1000 scanned ports on are closed Nmap done: 256 IP addresses (4 hosts up) scanned in seconds

18 Information Gathering: Google Searching and Hacking Google Advanced Operators - Standard part of a google query - Syntax (no spaces) operator:search_term

19

20 Google Advanced Operators

21 Google Advanced Operators

22 Google Hacking: SQL Query History query: intitle:"index of".mysql_history

23 Google Hacking: Basic Site Crawling query: site:ncsu.edu

24 Google Hacking: Basic Site Crawling query: site:ncsu.edu -site: -site:news.ncsu.edu -intitle:"north Carolina"

25 Google Hacking: SQL Schemas query: # dumping data for table

26 Google Hacking: SQL Passwords query: filetype:inc intext:mysql_connect

27 Google Hacking: Passwords query: inurl:password filetype:xls

28 Information Gathering: Website Use the website / web application Information is revealed in HTML Text (form names, parameters, comments) URLs Parameters technologies (JSP / servlets / PHP / WordPress) HTTP Request and Response Headers

29 Class Exercises

30 Penetration Testing Methodically test across a variety of controls Configuration and deployment management Identity, authentication, authorization session management Input validation Error handling Cryptography Business logic Client side evaluation Plan Discover Attack Report

31 Vulnerabilities Exploited by Penetration Testing Misconfigurations Kernel Flaws Buffer Overflows Insufficient Input Validation Symbolic Links File Descriptor Attacks Race Conditions Incorrect File and Directory Permissions

32 Some Tools Kali OpenVAS Vega OWASP Zap

33 Kali Linux Debian-derived Linux distribution, Designed for digital forensics and penetration testing. Numerous penetration-testing programs. Run from a hard disk, live CD, or live USB

34

35 Vega: Dynamic Analysis

36 ZAProxy Proxy Dynamic Analysis Fuzzing Site Mapping

37 Resources Kali: Google Hacking for Penetration Testers: Google Hacking Database: OWASP Testing Guide, V4: OWASP Zed Attack Project: Vega: OpenVAS: