Detecting Penetration Testing Ron Gula, SOURCE 2010

Detecting Penetration TestingRon Gula, SOURCE 2010

WE ARE IN A GREAT CAREER FIELD

90’s 2000 2009

Amount of grey hair

• PEN TEST REVIEW• DETECTION• REACTION

• PEN TEST REVIEW• DETECTION• REACTION

I WANT YOUR COMMENTS AND QUESTIONS TOO

WHY DETECT PENETRATION TESTERS?

John Dillinger from Public Enemies

Real intrusionshave

real responses

PENETRATION TESTING HAS POLITICAL RESPONSES

We protect customer data

IdiotJohnny, your password should be 25 characters

Working late

again!

WE SHOULD BE DETECTING THIS ANYWAY, RIGHT?

snort[1578]: [1:2002910:4] ET SCAN Potential VNC Scan 5800-5820 [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.20.24:36493 -> 192.168.20.16:5800

snort[1578]: [1:2001743:8] ET TROJAN HackerDefender Root Kit Remote Connection Attempt Detected [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 192.168.20.24:45379 -> 192.168.20.16:1025

snort[1578]: [1:1551:6] WEB-MISC /CVS/Entries access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.24:45896 -> 192.168.20.21:80

snort[1578]: [1:469:4] AUTHORIZED PENETRATION TEST [Classification: OK To Ignore, But Tell Your Boss] [Priority: 2]: {TCP} 192.168.20.24 -> 192.168.20.92

THERE ARE DIFFERENT TYPES OF PENETRATION TESTS

External Internal

IT & Servers

Guest Pen Testers

THERE ARE DIFFERENT TYPES OF PENETRATION TESTS

WebAttacker

SQL Injection rules guys!

ServicesExploiter

No Way. I have a 0-day

for Skype

No TechHacker

Screw you guys. I’m

walking in.

WHAT ABOUT CLIENT SIDE PEN TESTS?

Test the browser security Test the email client security Test the web proxy security Test the email spam security See who clicks on links or opens hostile email

THE MYTHICAL GOD-LIKE PEN TESTER

Normal Computer

CPU stays the same

Packets are normal

No additional

filesCommunicates the same

Memory stays the

same

Firewall logs the

same

Configuration stays the same

Error logs stay the

same

KNOW WHAT YOU CAN AND CAN’T MONITOR

• Packets• Netflow• NIDS Logs• Firewall Logs• NBAD

• Topology• Vulnerabilities• Patch Audits• Configurations• Host Security• Host Logs• Audit Trail

• Vulnerabilities• Application• Patch Audits• Configurations• Host security• File integrity• System and app logs• Audit Trail

• Authentication• Authorized systems• Normal apps/programs• Web proxy logs• Spam logs

KNOW HOW A COMPROMISED SYSTEM BEHAVES





• Firewall Deny• Blacklisted IPs• Spikes in traffic

• Illegal Hosts• Illegal Activity• New commands

• Modified files• High CPU• System errors• Illegal commands

• Access violations• New programs• Blacklisted sites

KNOW HOW A COMPROMISED SYSTEM BEHAVES





• Firewall Deny• Blacklisted IPs• Spikes in traffic

• Illegal Hosts• Illegal Activity• New commands

• Modified files• High CPU• System errors• Illegal commands

• Access violations• New programs• Blacklisted sites

SIMPLE EXAMPLE – HTTP SERVER

Port 80 in.Nothing allowed out Port 22 in.

Nothing allowed out

No DNS.Web server jailed.

Use IPS/Proxy to stop 0-daysMonitor with NIDS/NBAD

Look for outbound denied firewalls

Watch for deniesSSH client attacks

System errorsIllegal Commands

Unauthorized changesFile integrity

PEN TESTING AND “REAL” INCIDENT DIFFERENCES

Pen Test Real Incident

Probability HIGH LOW

Zero Day

Automation

Bumps into ACLs

Lack of tech knowledge

Unlimited time X

Long term access X

Foreign Country X

Real data exfiltration X

Data Destruction X

Lack of ‘respect’ for systems X

Attack security systems X

WHAT DO WEB APP ATTACKS LOOK LIKE ?

WebAttacker

SQL Injection rules guys! Are you collecting any logs?

Can you tell an attack from a transaction?

Is your DBA watching things?

Will your NIDS/NBAD see anything?

What about your SIM?

WHAT DOES A NETWORK ATTACK LOOK LIKE ?

Are you collecting any logs?

Can you tell an attack from a normal user?

Is your admin watching things?

Will your NIDS/NBAD see anything?

What about your SIM?

ServicesExploiter

No Way. I have a 0-day

for Skype

IT GOES ON AND ON !!!!

Attackers and penetration testers have a potential infinite supply of places to attack.

Hardening systems, reducing complexity and adding defenses reduces the attack points and lets you monitor for known outcomes.

Monitor for outcomes you

must!

AUTOMATIC VULN SCANNING TOOL DETECTION

[1] Get a vuln scanner

Experiment

[2] Scan your network

[3] Check your NIDS/SIM

Did we detect the

scan?

What kind of logs do we make?

Can we rely on the NIDS vendors to detect scanners?

Does the same scanner scan the same all the time?

PEN TESTING TOOL DETECTION

[1] Get a pen testing tool

Experiment

[2] Hack your network

[3] Check your NIDS/SIM


Can we rely on the NIDS vendors to detect pen testing?

Does the same pen tester hack the same all the time?

FILE AND SOCIAL TROLLING DETECTION

[1] Use low tech hacking

Experiment

[2] Look for the goods

[3] Check your NIDS/SIM/DLP


Can we rely on the NIDS vendors to detect file browsing?

Are the same users going to click around the same way all the time?

BEWARE OF FOCUSING ON JUST PEN TESTING TOOLS

Holy MD5 checksums Batman, the Joker is using a penetration testing tool on the

Bat Computer!

The jokes on him loyal friend, those tools only look for a few holes.

Wah, wah, wah. Not only do I have a custom exploit, it is encoded to get

past the Bat IDS!

What can I do to find

pen testers?

MESSING WITH THE PEN TESTERS WITH DNS

[root@megalon ~]# nslookup exchange.company.comServer: 192.168.20.24Address: 192.168.20.24#53

** server can't find exchange.company.com: NXDOMAIN

[root@megalon ~]# nslookup imap.company.comServer: 192.168.20.24Address: 192.168.20.24#53

Name: imap.company.comAddress: 192.168.20.23

Give DNS recon tools false information

Might have different ones inside vs. outside vs. locationMight use a SIM, IDS, .etc to “watch” the target IPs

Could use a SIM to watch DNS queries and logs for these domains

Goal – waste more time of a potential

hacker than your real IT staff’s

Where do these records point?Who manages them in IT?

How often do you change them?

MESSING WITH THE PEN TESTERS WITH DNSSlow Down DNS responses

Hopefully only slow down answers for stuff that isn’t liveNeed very specialized DNS servers; Does not need to be core servers

Try to

make the

pen

testers

waste their

time

DNS is really reliable – can you convince your IT staff to mess with it?If an attacker knows your IP addresses, this doesn’t help

This could slow down an insider pen tester

MAKE FOOTHOLDS SLOW AND HARD TO USEMake them work harder to leverage any compromised target

Exploits work, but we’re leveraging that the attacker does not know our defensesNeed to have a process to investigate false positives

Reverse shells,

phone

homes,.etc

prevented by

ACL in network

MAKE FOOTHOLDS SLOW AND HARD TO USEMake them work harder to leverage any compromised target

Most IT organizations are OK with proxies and packet shapersAre they hooked up to your SIM or NBAD and part of your monitoring?

Proxies

prevent some

tunneling.

Packet shapers

can slow

access.

MAKE ATTACKERS REQUIRE DIFFERENT EXPLOITSForce them to think – and less likely be a botnet

Are you looking for these exploits to begin with?Does your SIM chain together these types of attacks?

Web Apache attack

SQL attack to Unix DB

Client side SSH exploit

IMAP Exchange Exploit

Pen testers pride

themselves on doing

this.

Wait a second

!

Aren’t you the guy who’s been talking about compliance,

repeatable builds and

monocultures?

MAKE ATTACKERS REQUIRE DIFFERENT EXPLOITSForce them to think – and less likely be a botnet

Are you looking for these exploits to begin with?Does your SIM chain together these types of attacks?

Web IIS attack

SQL attack to Unix DB

Client side RDP exploit

IMAP Exchange Exploit

Pen testers pride

themselves on doing

this.

USE DYNAMIC NAC TO LIMIT INTERNAL ACCESSKick them off the network while generating alerts

NAC can block hosts by MAC address, authentication & activityAre NAC logs something sent to you SIM?

• Most people think of NAC as a dead market• NAC is alive and well in your switch vendor

Stewie getting his MAC address kicked off the net

HONEYPOTS AND DECOYSLet them eat cake fake servers!

Honeypots can add complexity to your networkEvery packet to a honeypot is not an attacker

Have you configured “honeypot” analysis in your SIM, NBAD or IDS?

Firewall or IPS responds “Real” Honeypots

Honeypottarget

Real server,Honeypot service

InteractiveHoneypot

“Imaginary” Honeypots

Network

Servers

Desktop

Honeypot

ENGAGE THE ATTACKERSAttack the attackers

“Hack back” is illegal in lots of placesYou could be playing with fire.

This truly is security through obscurity.

Launch DOS attacks against

attackersViruses in honeypot office files

ZIP bombs in files

obtained Very large

fake password

files

Fake chat logs that have fake

account info

Hook chargen up to services

Host hidden porn.

Monitor for access.

Host fake network diagrams

Replace common

commands.

HOW MUCH OF THIS DO YOU TELL AUDIT ?

They mightbe impressed They might

be confused

They might totally out you!

WHAT IF YOU DON’T DETECT THEM?

They “only” broke into here and here. Yet they made a huge report

CONCLUSIONS

• Detecting real attacks and penetration testing is very similar

• We should be good enough to detect intrusions AND differentiate between a “pen test” and a “real attack”

• If we don’t have access to the logs, vulns, packets, etc we can’t do either

QUESTIONS or COMMENTS ??

RonGula on TWITTER

www.tenablesecurity.com blog.tenablesecurity.com

TENABLE is hiring! [email protected]

Documents

Detecting Penetration Testing Ron Gula, SOURCE 2010