Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Improving Application Securitythrough Penetration Testing
Dominick Baier ([email protected])Security Consultant / BS 7799 Lead AuditorERNW GmbH
2
Outline
• What is Penetration Testing and Auditing• Standards and Ethics• The Process of Testing• Pen-Testing Web Applications• The Tools
3
"Improving the Security of Your Site byBreaking Into it"(Dan Farmer/Wietse Venema, 1993)http://www.fish.com/security/admin-guide-to-cracking.html
4
Penetration Testing vs. Auditing
• Penetration Testing– Simulating a motivated attacker for a specific amount of time– Black Box / White Box Approach– Is more like a snapshot of the current security of a system or a
business process
• Auditing– Analyzing
• Configuration Files• Architecture• Source Code
– Policy conformance• Operational Plans and Procedures
5
Why Penetration Testing
• To measure the security of a system, network or a businessprocess– By a third party
• To assess possible Risks
• To make the upper management "security aware"
6
Possible Goals of a Penetration Test
• How much information about our network is publiclyavailable ?
• Is it possible to compromise this and that system ?• Is it possible to disturb business process X ?• How effective work our security controls ?
– Firewall– AntiVirus / Spam / Content Filter– Intrusion Detection Systems
• Is our Information Security Policy correctly enforced ?• Can employees compromise workstation security?
• "Are we safe ?"
7
What can be tested
• Servers and Workstations– Web Server– Database Server– Domain Controller– Workstations
• Infrastructure– Network Devices– Wireless Networks– Dial-In Access– VPNs
• Applications• Employees (Social Engineering)
8
Attackers to simulate
• Outside Attackers– Script Kiddies– Competitors– Terrorists– Journalists
• Insiders– Employees– Disgruntled Employees– Contractors– Consultants
9
Standards
• Pete Herzogs's OSSTM"Open Source Security Testing Methodology Manual"– Very practical approach– Checklists of what and in which order to test– List of tools
• ISO 17799 / BS 7799 Standard for Information Security– Focuses more on the policy and paper work side of security– Extensive catalog of security controls– Defines a standard for audits
• NIST Guidelines for Network Security Testing
10
Ethics
• Findings are under strict NDAs
• No information gathered during the test – is sent in clear text over the internet– is used for personal profit
• ISACA Code of Professional Ethics• ISC2 Code of Ethics
• Full Disclosure
11
The STRIDE Threat Model
• STRIDE– Spoofing Identity– Tampering with data– Repudiation– Information Disclosure– Denial of Service– Elevation of Privilege
12
The Pen-Tester's Mantra
• Segregation of Duties• Minimal Machine• Least Privilege• Patch-Level• Defense in Depth• Secure the Weakest Link• Strong Authentication
13
Course of Actions
• Opening Meeting– Goals of the Pen-Test– Scope– Responsible Admins
• The Audit / Test itself
• The Report– Found issues– Countermeasures– Prioritization
• Closing Meeting
14
Stages of a Pen-Test
• Gathering Information• Analyzing the Infra-Structure• Analyzing the Machines
– Fingerprinting– Port / Vulnerability-Scanning– Attacking the System / Proof of Concept
• Analyzing Applications– Functional / Structural Analysis– Attacking Authentication and Authorization– Attacking Data and Back-End Communication– Attacking Clients
15
Information Gathering
• In this phase you try to compile as much publicly availableinformation as possible
– Internic– IANA / RIPE– Whois– Google / Usenet– Private homepages of employees– Email Addresses– Telephone numbers
16
17
18
Information Gathering
• Google Search-Syntax
– allintitle:”Index of /etc”– site:gov site:mil site:ztarget.com– filetype:doc filetype:pdf filetype:xls– intitle:, inurl:, allinurl:– allinurl:mssql, allinurl:gw …– inurl:".aspx?ReturnUrl="– "+www.ernw.+de"– related:www.ernw.de– login site:www.microsoft.com– [cached]
19
20
21
22
23
24
25
Information Gathering
• Mailing-Lists / Forums / Usenet– Some vendors even post internal support questions to public
newsgroups
?
26
Information Gathering
• Mailing-Lists / Forum / Usenet
Invitation?
27
Analyzing the Infra-Structure and Machines
• A layered modell
Data
Application
Service
OS
Data
Application
Service
OS
Network
28
Analyzing the Infra-Structure and Machines
• The Reality
BrowserWeb
ServerApplication
ServerDatabase
Server
AuthDatabase
Web Content
Data
AuditLogs
HTTP
LDAP
DCOM
CORBA
SOCKETS
29
Analyzing the Infra-Structure and Machines
• Querying System and DNS Information• Portscanning• Fingerprinting• Vulnerability Scanning• Exploiting a Vulnerability
30
Querying System and DNS Information
• TraceRoute– Tracing the network route give you information about
• The provider• Type of connection
– Simple / Redundant / Load Balanced– At which hop gets ICMP blocked?
31
Querying System and DNS Information
• DNS Zone transfer– DNS Server should be configured to allow Zone Transfers only
to specific peers– DNS Zones are very interesting
• Which machines are listed in the Zone• Get information about IP network-structure
32
Portscanning & Fingerprinting
• Port Scanning gives you information about which ports a machine listens on
• Every open port is potentially vulnerable• More advanced scanners try to figure out what kind of
software (+ vendor and version) is installed
• Most popular Port Scanners– SuperScan (www.foundstone.com)– NMAP (www.insecure.org/nmap)
33
Banner Grabbing
• Connect with Netcat or Telnet to a service• You will often get detailed information
34
Vulnerability Scanner
• Automated scanners that check for known vulnerabilities– They often give you more information for vulnerability
investigation
• There are vulnerability and exploit databases on the internet– SecurityFocus (www.securityfocus.com)– Packet Storm (www.packetstormsecurity.com)
35
Vulnerability Scanner
• System / Host Scanner– Nessus (www.nessus.org)– Retina (www.eeye.com)– ISS Security Scanner (www.iss.net)– Microsoft MBSA (www.microsoft.com)
• Database Scanner– MetaCoreTex (www.metacoretex.com)– AppSecInc AppDetective (www.appsecinc.com)– ISS Database Scanner (www.iss.net)
• Web Server Scanner– Nikto (www.cirt.net)
36
Vulnerability Investigation
• www.securityfocus.com/bid
37
Vulnerability Investigation
• www.packetstormsecurity.org
38
Pen-Testing Web Applications
• Visualize the HTTP Traffic– Sniffer (e.g. Ethereal)– Web Proxies
• Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip)• Fiddler (www.fiddlertool.com)• WebProxy (www.atstake.com)
– Hand craft HTTP Requests• Wfetch & Tinyget (IIS6 Resource Kit)
Email Addresses
NN/about/about.aspx
Login PagePOSTYN/login/login.aspx
NN/Index.aspx
CommentGET/POSTSSL?Auth?PathPage
39
Structural Analysis
• ...or graphical
40
Pen-Testing Web Applications
• Try some URLs– Common Directories
• /html, /images, /jsp, /cgi– "Hidden" Directories
• /admin, /secure, /adm, /management– Backup and Log Files
• /.bak, /backup, /back, /log, /logs, /archive, /old– Include Files
• /include, /inc, /js, /global, /local– Lokalized Versions
• /de, /en, /1033– trace.axd
• Look at the HTTP Status Codes– Everything besides 404 ist interesting
41
Pen-Testing Web Applications
• Look for– Cascading Style Sheets (.css)– XML Dateien / XML Stylesheets (.xml / .xsl)– JavaScript Dateien (.js)– Include Files (.inc)– Text Dateien (.txt)– Comments– Client-Side Validation– Forms
• Hidden Fields• Password Fields• MaxLength Attributes
42
Pen-Testing Web Applications
• "Odd" Query Strings
• Cookie values
www.site.com/show.aspx?content=marketing.xmlwww.site.com/UserArea/default.php?UserID=5www.site.com/dbsubmit.php?Title=Mr&Phone=123www.site.com/menu.asp?sid=73299
43
Canonicalization Errors
• Popular Examples– Apache WebServer
• /scripts und /SCRIPTS– Microsoft IIS 5
• ../ and .%2e%2f– ISS Firewall
• action=delete and action=%64elete– Microsoft IE4
• Dotless IP Bug
– ASP.NET Authorization Canonicalization Bug• http://localhost/formsec/secure%5csecret.aspx
44
Resource Names
• Example
• Can I use this page to show other files?
• Try some variations
http://server/cms/show.aspx?file=content.xml
http://server/cms/show.aspx?file=../web.config.http://server/cms/show.aspx?file=../web.config::$DATAhttp://server/cms/show.aspx?file=..%5cweb.confighttp://server/cms/show.aspx?file=..%255cweb.confighttp://server/cms/show.aspx?file=..%%35%63web.config
http://server/cms/show.aspx?file=../web.config
45
Testing for SQL Injection
• Try if you can inject SQL code in forms• If the programmer simply concatenates user input with SQL
statements a database compromise is most likely possible
• Try to generate errors– Insert a ' character– Does the application behave different ?– Is maybe even a database error returned ?
• You can execute nasty statements through SQL Injection– Union– Drop...– XP_CMDSHELL
46
Testing for Cross Site Scripting
• Cross Site Scripting let's an attacker inject script code in Web Pages
• This happens when the Application directly outputs clientinput whithout proper HTML encoding
• Can be hard to find - look in– Query Strings– Form Fields– HTTP Headers
• Enables Cookie Stealing / Harvesting Attacks
• Many Developers rely on ASPX's ValidateRequest– Try <%00...> encoding
47
Tools
• Automatic Mirroring of Web Sites– wget (www.gnu.org/directory/wget.html)– Black Widow (www.softbytelabs.com)– Teleport Pro (www.tenmax.com)
• Web Scanner– WebInspect (www.spidynamics.com)– NStealth (www.nstalker.com)
• ASP.NET Specific Scanners– ASP.NET Security Analyzer (www.owasp.org)– ASP.NET Shared Hosting Analyzer (www.owasp.org)
48
Conclusion
• Pen-Testing is no Black Magic• Very systematic procedure
• If you follow the 7 golden rules, you can eliminate most of thevulnerabilities
• Do regular Pen-Tests or Audits – you can only benefit– Internal and third party
49
• Questions ?
you can download the slides from www.leastprivilege.com
50
Links
• OSSTM– www.isecom.org
• NIST Draft Guidelines to Network Security Testing– http://csrc.nist.gov/publications/drafts/security-testing.pdf
• ISC2 Code of Ethics: – https://www.isc2.org/cgi/content.cgi?category=12
• ISACA Code of Professional Ethics– http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1
51
Links
• Wfetch– (http://download.microsoft.com/download/d/e/5/de5351d6-
4463-4cc3-a27c-3e2274263c43/wfetch.exe)• NetCat
– http://www.atstake.com/research/ tools/network_utilities/nc11nt.zip)