Embed Size (px)
Citation preview
8/26/14
1
How Not to Fail at Penetration Testing
8/26/14
2
http://www.sans.org/event/sans-pen-test-
hackfest-2014 Or
http://is.gd/hackfest
http://securityweekly.com Copyright 2014
We Have a Problem
• Penetration Testing is on a crash course
• We have some issues we need to resolve quickly
• Luckily, these corrections are easy
• If we move quickly
Knowing you have a problem is a good first step
8/26/14
3
http://securityweekly.com Copyright 2014
Scanning Issues
• We are quickly becoming a commodity industry
- But what does that mean?
• Many customers will see little value difference between Pentesting offerings
• Penetration testing will become like toilet paper
- When you need it, you will not care what you get
• Some small corrections are required
Doing it by the book
http://securityweekly.com Copyright 2014
Looking for Red
• Many testers follow a Nessus > Metasploit path - This is at least 4 years
out-of-date • Most exploitable issues are
actually found in medium, low and informational
• Back to the true definition of hacking
• These tools are our eyes and ears, nothing more What being addicted
8/26/14
4
http://securityweekly.com Copyright 2014
Solution
• Let’s start looking at the other findings
• Let’s start sifting through the low, medium and informational findings
• This is what our customers are paying us to do
• They can run as scanner and focus on the Reds and Purples
• They hire us to do the “harder” stuff
http://securityweekly.com Copyright 2014
Informational: Directory Listing
8/26/14
5
http://securityweekly.com Copyright 2014
PII… Lots of it
http://securityweekly.com Copyright 2014
Informational: SMTP Server Found
8/26/14
6
http://securityweekly.com Copyright 2014
Informational: Web Server Found on Port 8888
http://securityweekly.com Copyright 2014
Low + Easy Password = Shell
8/26/14
7
http://securityweekly.com Copyright 2014
Doing it Right
• Requires time
• Requires knowledge
• Requires patience
• Requires just a bit of OCD
• Requires a cool shirt and a mechanical bull
- Happy Birthday Kevin! What doing it right
might look like
http://securityweekly.com Copyright 2014
Going Beyond Scanning
• Is there anything beyond scanning?
- “No!!! Everything comes from Nessus, Nmap and Nexpose!!!!”
• Getting to the crux of why good penetration testing takes time
8/26/14
8
http://securityweekly.com Copyright 2014
Ever whish this guy was still running a major AV company?
http://securityweekly.com Copyright 2014
Lets Get On With it
• We created extra slides and videos for each of the AVs we bypassed
• It was not all that hard (More on this later)
• The videos and slides can be found here:
- http://tinyurl.com/SecurityWeekly-AVBypass
• Video Here: http://blip.tv/securityweekly/sacred-cash-cow-tipping-bypassing-av-7016677
8/26/14
9
http://securityweekly.com Copyright 2014
Merging Physical and Virtual
http://securityweekly.com Copyright 2014
Mixing Personal and Business
8/26/14
10
http://securityweekly.com Copyright 2014
How Bad Can it Be?
http://securityweekly.com Copyright 2014
Pretty Bad…
8/26/14
11
http://securityweekly.com Copyright 2014
What can you get?
http://securityweekly.com Copyright 2014
Getting Caught
• Is an absolute must
• At some point we should all strive to be caught in our testing endeavors
- Just not right away
• This is the core of providing value to customers
• Penetration Testing is about proving risk - It is not about proving you are 1337
• Getting caught is a big step in discovering clipping levels
• You can also circle back and do this after the 31337 stuff is done
8/26/14
12
http://securityweekly.com Copyright 2014
Feel Free to Steal this
http://securityweekly.com Copyright 2014
This too
8/26/14
13
http://securityweekly.com Copyright 2014
Giving up
http://securityweekly.com Copyright 2014
One step forward…
• Turns out some Internet white listing products support regular expressions for white-listed sites
• Which makes sense because regex can be the solution to many problems
• However… Position matches can be very hard when dealing with a URL. - Especially for a domain
• What if malware used the domain as a parameter is a reverse HTTP C2 channel?
8/26/14
14
http://securityweekly.com Copyright 2014
White List Proxies
http://securityweekly.com Copyright 2014
8/26/14
15
http://securityweekly.com Copyright 2014
http://securityweekly.com Copyright 2014
Websense?
8/26/14
16
http://securityweekly.com Copyright 2014
Yes, Websense.. Customer.com
http://securityweekly.com Copyright 2014
8/26/14
17
http://securityweekly.com Copyright 2014
http://securityweekly.com Copyright 2014
8/26/14
18
http://securityweekly.com Copyright 2014
ISR Evilgrade Attacks
http://securitynik.blogspot.com/2014_04_01_archive.html
http://securityweekly.com Copyright 2014
8/26/14
19
http://securityweekly.com Copyright 2014
http://securityweekly.com Copyright 2014
Other Proxy Firewalls
8/26/14
20
http://securityweekly.com Copyright 2014
Moving Forward
• We are the pointy end of the stick, if we get complacent, the rest of the industry follows
- Ops teams, Dev teams and Forensicshateor?, Forensiactors? People who do forensics
- Hi Rob!!
• If penetration testing can be reduced to a checklist or a automated tool.. It will be
- This will be bad for all of us in the security community
http://securityweekly.com Copyright 2014
Penetration Testers Code of Ethics
• I will never copy and paste automated results
• I will never completely trust scan results
• I will strive to get caught (after being awesome)
• I will go beyond the scan results
• I will be a hacker in the original sense of the word
• I will always stay in scope
• My reports will rock
8/26/14
21
http://securityweekly.com Copyright 2014
