Penetration Test

Hands-on Demonstration

Shigekazu Tanimoto

18 December 2013

Japan Electrical Manufactures’ Association (JEMA) 19th Study of group in Tokyo

2

Senior Corporate Security Analyst

Senior Information Security Engineer

Security Analyst / Subject Matter Expert

Risk Consultant / Information Management

Who I am ?

Who should Attend ?

3

CIO / CISO Information Security Manager Leaders of incident handling teams Incident handler Penetration testers Website designers and architects Security Auditor who need to build

deeper technical skills Information Security Consultants

4

L3

In

form

atio

n

In

teg

ratio

n

L1

O

pera

tio

n

Information Security Intelligence Conceptualizing Security Governance

L2

M

an

ag

em

en

t

Pen Test

Audit

Monitoring

Correlation Analysis

Monitoring

Audit Risk

Evaluation

SIEM

SAT

SAT: Security Configuration and Acceptance Testing CVSS : Common Vulnerability Scoring System SIEM : Security Information and Event Management

CVSS Asset Management

code analysis

Reverse Engineering

Vulnerability Analysis

IDS/IPS

Network

Chain of Custody

Record Documentation

Information Asset

Copyright (C) 2013 Shigekazu Tanimoto All Rights Reserved.

Logs Information

Resource Management

Application

Source Code

5

Introduction

1. What is Test? 2. Exploits for Windows 3. What was the result of the test 4. Security Audit Report 5. PCI Compliance Report 6. Special Thanks 7. Virtual Environment for Test Appendix

1. What is the Test ?

Pen Test demonstration

Network Security Assessment

Network diagram

Target Device List

Target OS

Exploits for Windows XP

Vulnerability Reporting

Compliance Reporting

6

Assessment depth

Internal network Intranet

DMZ

Internet

7

1.1 Network Security Assessment

①Penetration Testing Wide scope ’no holds barred’ approach involving multiple attack vendors (not just internet-based)

②Network Security Assessment Automated network scanning and report generation, useful to test networks from opportunistic attack

③Vulnerability Scanning Automated network scanning and report generation, useful to test networks from opportunistic attack

Cost and time

1.2 Preparing for test

MS Windows (XP,2k3,2k8R2,7Pro,Enterprise)

Ubuntu Linux Core™ i7-3770S 3.10GHz, RAM 24GB, HDD 1TB*

(*recommend)

Celeron ™ 2GB, RAM 16GB, HDD 1TB

VMware

Wireshark

Metasploit, Nexpose

8 Powered by

9

1.3 SAT: Security Configuration and Acceptance Testing

Process:

① System delivered to data center ② Vendor performs hardening on Customer

Security Standards and captures the evidence (1st SAT), CAM (Compliance Assurance Manager) is responsible for the process

③ All testing and potential issues resolved? ④ Vendor submits evidence of hardening. Completed and signed SAT form to Project Manager ⑤ Project Manager coordinates this process and submits evidence to CAM ⑥ CAM review and confirm 1st SAT complete ⑦ Project Manager co-ordinate with application owner to install application ⑧ Application installation complete ⑨ SOC and Security Engineer perform 2nd SAT ⑩ Evidence sufficient? ⑪ Notify Project Manager to follow up ⑫ Deviation from security standards ⑬ CAM appends SAT form with exemption form ⑭ Review SAT form and obtain senior management approval for production rollout

1.4 Network diagram

10

Ubuntu 12.04.LTS

10.0.0.7

W2k8 R2

10.0.0.24

Windows 7 Enterprise + Wireshark

10.0.0.5

Windows XP SP1

10.0.0.21

W2k3 SP1

10.0.0.23

10.0.0.10-30/24

CentOS 6.3

10.0.0.26

Linux 2.6 9 VPN PPTP Router (Firewall) IN: 10.0.0.1 OUT: 118.x.x.x (DDNS)

= range for Penetration tests

Internet

Debian Linux

10.0.0.25

=Pen Tester

=Monitor

=Target OS

Device IP address OS

VPN Router (PPTP Server)

10.0.0.1 Linux2.6.8

Penetration Tester

10.0.0.7 Ubuntu Linux 12.04

Client 10.0.0.21 Windows XP

Web Server 10.0.0.23 Windows 2003 SP1

Data Server 10.0.0.24 Windows 2008 R2

File Share Server

10.0.0.25 Debian Linux

Server 10.0.0.26 CentOS 6.0

1.5 Target Device List

11

1.6 Target Device and OS

12

10.0.0.1 VPN Router 10.0.0.3-10.0.0.30/24 Server, Client, Share Server

2. Exploits for Windows XP – Host OS 2.

13

Host OS : Windows 7 Pro

14

Guest OS : Windows XP SP1

2. Exploits for Windows XP – Host OS

3. What was the result of the test - Exploits for 10.0.0.21

Target OS Windows XP SP1

Threat potential

Data leakage

Privilege escalation

Cvss Score 10.0

Evidence（Capture data） Yes

exploit-20131130.pcapng

Ref: http://www.rapid7.com/db/vulnerabilities/dcerpc-

ms-netapi-netpathcanonicalize-dos

15

16

Host Service Vulnerabilities

Reference Information

Severity Infection potential

Windows XP SP1

445/ TCP

MS server Service Relative Path Stack Corruption

Microsoft Server Service NetpwPathCanonicalize Overflow

CVE-2008-4250 OSVDB-49243 MS 08-067

JVNDB-2008-001894

10.0 High (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Avaya Messaging Application Server MS Windows 2000 Server SP4,2003 SP1,SP2,2008, Vista,XP Nortel Networks Contact Trojan.Gimmiv.A Risk Level 1: Very Low http://www.symantec.com/security_response/writeup.jsp?docid=2008-102320-3122-99 W32.Wecorl Risk Level 1: Very Low http://www.symantec.com/security_response/writeup.jsp?docid=2008-110306-2212-99

Microsoft Server Service / Cannibalize PathName() Remote Code Execution Vulnerability Published : August 08, 2006 | Added : August 21, 2006 | Modified July 13, 2012

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

4. Security Audit Report 4.1 – Executive Summary

17

Audit Report (Highest Risk Vulnerabilities).pdf

Vulnerability by Severity

Vulnerabilities 375

Critical (107)

Severe (253)

Moderate (15)

Scope of Assets VPN Router（PPTP Server)

File Share Server

OS(s) on the VM

Web, Data Server, Client

18

4. Security Audit Report 4.2 – Discovered Vulnerabilities

Dash Board https://localhost:3870/home.html

4. Security Audit Report 4.3 – Asset Listing

19

OS IP Vulnerabilities Malware Kit Exploit known to exist

Debian Linux (File Share Server)

10.0.0.25 302 0 63

Windows Server 2003 SP1

10.0.0.23 55 0 25

Windows XP SP1

10.0.0.21 13 0 41

Linux 2.6.8 (VPN Router)

10.0.0.1 3 0 0

Windows Server 2008 R2, Datacenter

10.0.0.24 2 0 0

RiskSheet20131208.xlsx

4. Security Audit Report 4.4 – Top 10 Assets by Vulnerability Risk

20 Top 10 Assets by Vulnerability Risk.pdf

(1)FILE SHARE SERVER

(3) WINXP

(2) WIN2003

(5) WIN2008R2

(4) VPN Router (PPTP Server)

(1) FILE SERVER

4. Security Audit Report 4.5 – Discovered Systems Risk

21

OS IP RISK index RISK RISK Count

Debian Linux (File Share Server)

10.0.0.25 128,608 Critical 85

Severe 208

moderate 9

Windows XP SP1 (Client)

10.0.0.21 10,359 Critical 11

Severe 2

moderate 0

Server 2003 SP1 (Web SERVER)

10.0.0.23 25,062 Critical 11

Severe 38

moderate 6

Linux 2.6.8-2.6.12 (VPN Router)

10.0.0.1 1,535 Critical 0

Severe 3

moderate 0

Server 2008 R2, Datacenter Edition

10.0.0.24 1,499 Critical 0

Severe 2

moderate 0

RiskSheet.xlsx

4. Security Audit Report 4.6 – Top 10 Assets by Vulnerabilities

22 Top 10 Assets by Vulnerabilities.pdf

23

5. PCI Compliance Report 5.1 – Asset and Vulnerabilities Compliance

This report is approved for use in PCI audits, according to the PCI Data Security Standard (DSS) version 1.2 A PCI network audit procedures one of two possible results. ・ PASSED indicates that the network is compliant with the PCI DSS. ・ FAILED indicates that the network is compliant with the PCI DSS.

OS IP PCI Compliance Status

Debian Linux (File Share Server)

10.0.0.25 FAILED

Windows XP SP1 (Client)

10.0.0.21 FAILED

Windows Server 2003 SP1 (Web SERVER)

10.0.0.23 FAILED

Linux 2.6.8-2.6.12 (VPN Router)

10.0.0.1 FAILED

Server 2008 R2, Datacenter Edition

10.0.0.24 FAILED

PCI Vulnerability Details.pdf PCI Executive Summary.pdf

24

PCI Compliance Report 5.2 – Remediation Plan

Top 25 Remediations by Risk with Details

PCI Compliance Report 5.3 – Remediation Plan

25

OS IP Estimated time

Remediation Plan

Debian Linux (File Share Server)

10.0.0.25 2 Hours

Upgrade to the latest version of PHP : 304 issues:

Upgrade to the latest version of OpenSSL

Upgrade to the latest version of Apache HTTPD

Windows XP SP1 (Client) Windows Server 2003 SP1(Web SERVER)

10.0.0.21 10.0.0.23

30 minutes

MS11-020: Download and install Microsoft patch windowsserver2003.windowsxp-kb2508429-x64-enu.exe (1044864bytes)

MS11-020: Download and install Microsoft patch windowsserver2003-kb2508429-x86-enu.exe (693120 bytes)

MS11-020: Download and install Microsoft patch windowsserver2003-kb2508429-ia64-enu.exe (1594752 bytes)

Linux 2.6.8-2.6.12 (VPN Router)

10.0.0.1 1440 hours

For HTTP Use Basic Authentication over TLS/SSL

(HTTPS), Use Digest Authentication

30 minutes

For DNS Restrict Processing of Recursive Queries

For DNS-TCP Restrict Query Access on Caching Name servers 30

minutes

Server 2008 R2, Datacenter Edition

10.0.0.24 15 minutes

Configure SMB signing for Windows

PCI-Audit Report.pdf

6. Special Thanks

Marketing Channel &

Communication Nihon Cornet Technology K.K

Presentation on 18 December 2013

JEMA(The Japan Electrical Manufactures Association)

http://www.jema-net.or.jp/English/

19th JEMA Study of group in Tokyo

26

7. Virtual Environment for Test

27

System Requirements (Minimum) Celeron 2GB, RAM 16GB, HDD 1TB, Handmade laptop PC (at my home labo)

28 exploit-20131130.pcapng

Appendix Ⅰ: Metasploit Evidence and Data capture

1 Audit Report (Highest Risk Vulnerabilities)

2 Baseline Comparison

3 Executive Overview

4 Highest Risk Vulnerabilities

5 PCI Attestation of Scan Compliance (XML)

6 PCI Audit Report (Legacy1.0 PCI Report)

7 PCI Executive Overview (Legacy 1.0 PCI Report)

8 PCI Executive Summary(RTF)

9 PCI Host Details

10 PCI Vulnerability Details

11 Policy Evaluation

12 Remediation Plan

13 Report Card

14 SANS Top 20 Report

15 SANS Top 20 Report Copy

16 Top 10 Assets by Vulnerabilities

17 Top 10 Assets by Vulnerability Risk

18 Top Remediations

19 Top Remediations with Details

20 Vulnerability Trends

29

Appendix Ⅱ: Nexpose Audit and Compliance Report

Thank you!

FAQ shige@abinitio-research.com

30