Upload
shigekazu-tanimoto
View
649
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Japan Electrical Manufactures’ Association (JEMA) 19th Study of group in Tokyo powered ny Metasploit and Nexpose
Citation preview
Penetration Test
Hands-on Demonstration
Shigekazu Tanimoto
18 December 2013
Japan Electrical Manufactures’ Association (JEMA) 19th Study of group in Tokyo
2
Senior Corporate Security Analyst
Senior Information Security Engineer
Security Analyst / Subject Matter Expert
Risk Consultant / Information Management
Who I am ?
Who should Attend ?
3
CIO / CISO Information Security Manager Leaders of incident handling teams Incident handler Penetration testers Website designers and architects Security Auditor who need to build
deeper technical skills Information Security Consultants
4
L3
In
form
atio
n
In
teg
ratio
n
L1
O
pera
tio
n
Information Security Intelligence Conceptualizing Security Governance
L2
M
an
ag
em
en
t
Pen Test
Audit
Monitoring
Correlation Analysis
Monitoring
Audit Risk
Evaluation
SIEM
SAT
SAT: Security Configuration and Acceptance Testing CVSS : Common Vulnerability Scoring System SIEM : Security Information and Event Management
CVSS Asset Management
code analysis
Reverse Engineering
Vulnerability Analysis
IDS/IPS
Network
Chain of Custody
Record Documentation
Information Asset
Copyright (C) 2013 Shigekazu Tanimoto All Rights Reserved.
Logs Information
Resource Management
Application
Source Code
5
Introduction
1. What is Test? 2. Exploits for Windows 3. What was the result of the test 4. Security Audit Report 5. PCI Compliance Report 6. Special Thanks 7. Virtual Environment for Test Appendix
1. What is the Test ?
Pen Test demonstration
Network Security Assessment
Network diagram
Target Device List
Target OS
Exploits for Windows XP
Vulnerability Reporting
Compliance Reporting
6
Assessment depth
Internal network Intranet
DMZ
Internet
7
1.1 Network Security Assessment
①Penetration Testing Wide scope ’no holds barred’ approach involving multiple attack vendors (not just internet-based)
②Network Security Assessment Automated network scanning and report generation, useful to test networks from opportunistic attack
③Vulnerability Scanning Automated network scanning and report generation, useful to test networks from opportunistic attack
Cost and time
1.2 Preparing for test
MS Windows (XP,2k3,2k8R2,7Pro,Enterprise)
Ubuntu Linux Core™ i7-3770S 3.10GHz, RAM 24GB, HDD 1TB*
(*recommend)
Celeron ™ 2GB, RAM 16GB, HDD 1TB
VMware
Wireshark
Metasploit, Nexpose
8 Powered by
9
1.3 SAT: Security Configuration and Acceptance Testing
Process:
① System delivered to data center ② Vendor performs hardening on Customer
Security Standards and captures the evidence (1st SAT), CAM (Compliance Assurance Manager) is responsible for the process
③ All testing and potential issues resolved? ④ Vendor submits evidence of hardening. Completed and signed SAT form to Project Manager ⑤ Project Manager coordinates this process and submits evidence to CAM ⑥ CAM review and confirm 1st SAT complete ⑦ Project Manager co-ordinate with application owner to install application ⑧ Application installation complete ⑨ SOC and Security Engineer perform 2nd SAT ⑩ Evidence sufficient? ⑪ Notify Project Manager to follow up ⑫ Deviation from security standards ⑬ CAM appends SAT form with exemption form ⑭ Review SAT form and obtain senior management approval for production rollout
1.4 Network diagram
10
Ubuntu 12.04.LTS
10.0.0.7
W2k8 R2
10.0.0.24
Windows 7 Enterprise + Wireshark
10.0.0.5
Windows XP SP1
10.0.0.21
W2k3 SP1
10.0.0.23
10.0.0.10-30/24
CentOS 6.3
10.0.0.26
Linux 2.6 9 VPN PPTP Router (Firewall) IN: 10.0.0.1 OUT: 118.x.x.x (DDNS)
= range for Penetration tests
Internet
Debian Linux
10.0.0.25
=Pen Tester
=Monitor
=Target OS
Device IP address OS
VPN Router (PPTP Server)
10.0.0.1 Linux2.6.8
Penetration Tester
10.0.0.7 Ubuntu Linux 12.04
Client 10.0.0.21 Windows XP
Web Server 10.0.0.23 Windows 2003 SP1
Data Server 10.0.0.24 Windows 2008 R2
File Share Server
10.0.0.25 Debian Linux
Server 10.0.0.26 CentOS 6.0
1.5 Target Device List
11
1.6 Target Device and OS
12
10.0.0.1 VPN Router 10.0.0.3-10.0.0.30/24 Server, Client, Share Server
2. Exploits for Windows XP – Host OS 2.
13
Host OS : Windows 7 Pro
14
Guest OS : Windows XP SP1
2. Exploits for Windows XP – Host OS
3. What was the result of the test - Exploits for 10.0.0.21
Target OS Windows XP SP1
Threat potential
Data leakage
Privilege escalation
Cvss Score 10.0
Evidence(Capture data) Yes
exploit-20131130.pcapng
Ref: http://www.rapid7.com/db/vulnerabilities/dcerpc-
ms-netapi-netpathcanonicalize-dos
15
16
Host Service Vulnerabilities
Reference Information
Severity Infection potential
Windows XP SP1
445/ TCP
MS server Service Relative Path Stack Corruption
Microsoft Server Service NetpwPathCanonicalize Overflow
CVE-2008-4250 OSVDB-49243 MS 08-067
JVNDB-2008-001894
10.0 High (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Avaya Messaging Application Server MS Windows 2000 Server SP4,2003 SP1,SP2,2008, Vista,XP Nortel Networks Contact Trojan.Gimmiv.A Risk Level 1: Very Low http://www.symantec.com/security_response/writeup.jsp?docid=2008-102320-3122-99 W32.Wecorl Risk Level 1: Very Low http://www.symantec.com/security_response/writeup.jsp?docid=2008-110306-2212-99
Microsoft Server Service / Cannibalize PathName() Remote Code Execution Vulnerability Published : August 08, 2006 | Added : August 21, 2006 | Modified July 13, 2012
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
4. Security Audit Report 4.1 – Executive Summary
17
Audit Report (Highest Risk Vulnerabilities).pdf
Vulnerability by Severity
Vulnerabilities 375
Critical (107)
Severe (253)
Moderate (15)
Scope of Assets VPN Router(PPTP Server)
File Share Server
OS(s) on the VM
Web, Data Server, Client
18
4. Security Audit Report 4.2 – Discovered Vulnerabilities
Dash Board https://localhost:3870/home.html
4. Security Audit Report 4.3 – Asset Listing
19
OS IP Vulnerabilities Malware Kit Exploit known to exist
Debian Linux (File Share Server)
10.0.0.25 302 0 63
Windows Server 2003 SP1
10.0.0.23 55 0 25
Windows XP SP1
10.0.0.21 13 0 41
Linux 2.6.8 (VPN Router)
10.0.0.1 3 0 0
Windows Server 2008 R2, Datacenter
10.0.0.24 2 0 0
RiskSheet20131208.xlsx
4. Security Audit Report 4.4 – Top 10 Assets by Vulnerability Risk
20 Top 10 Assets by Vulnerability Risk.pdf
(1)FILE SHARE SERVER
(3) WINXP
(2) WIN2003
(5) WIN2008R2
(4) VPN Router (PPTP Server)
(1) FILE SERVER
4. Security Audit Report 4.5 – Discovered Systems Risk
21
OS IP RISK index RISK RISK Count
Debian Linux (File Share Server)
10.0.0.25 128,608 Critical 85
Severe 208
moderate 9
Windows XP SP1 (Client)
10.0.0.21 10,359 Critical 11
Severe 2
moderate 0
Server 2003 SP1 (Web SERVER)
10.0.0.23 25,062 Critical 11
Severe 38
moderate 6
Linux 2.6.8-2.6.12 (VPN Router)
10.0.0.1 1,535 Critical 0
Severe 3
moderate 0
Server 2008 R2, Datacenter Edition
10.0.0.24 1,499 Critical 0
Severe 2
moderate 0
RiskSheet.xlsx
4. Security Audit Report 4.6 – Top 10 Assets by Vulnerabilities
22 Top 10 Assets by Vulnerabilities.pdf
23
5. PCI Compliance Report 5.1 – Asset and Vulnerabilities Compliance
This report is approved for use in PCI audits, according to the PCI Data Security Standard (DSS) version 1.2 A PCI network audit procedures one of two possible results. ・ PASSED indicates that the network is compliant with the PCI DSS. ・ FAILED indicates that the network is compliant with the PCI DSS.
OS IP PCI Compliance Status
Debian Linux (File Share Server)
10.0.0.25 FAILED
Windows XP SP1 (Client)
10.0.0.21 FAILED
Windows Server 2003 SP1 (Web SERVER)
10.0.0.23 FAILED
Linux 2.6.8-2.6.12 (VPN Router)
10.0.0.1 FAILED
Server 2008 R2, Datacenter Edition
10.0.0.24 FAILED
PCI Vulnerability Details.pdf PCI Executive Summary.pdf
24
PCI Compliance Report 5.2 – Remediation Plan
Top 25 Remediations by Risk with Details
PCI Compliance Report 5.3 – Remediation Plan
25
OS IP Estimated time
Remediation Plan
Debian Linux (File Share Server)
10.0.0.25 2 Hours
Upgrade to the latest version of PHP : 304 issues:
Upgrade to the latest version of OpenSSL
Upgrade to the latest version of Apache HTTPD
Windows XP SP1 (Client) Windows Server 2003 SP1(Web SERVER)
10.0.0.21 10.0.0.23
30 minutes
MS11-020: Download and install Microsoft patch windowsserver2003.windowsxp-kb2508429-x64-enu.exe (1044864bytes)
MS11-020: Download and install Microsoft patch windowsserver2003-kb2508429-x86-enu.exe (693120 bytes)
MS11-020: Download and install Microsoft patch windowsserver2003-kb2508429-ia64-enu.exe (1594752 bytes)
Linux 2.6.8-2.6.12 (VPN Router)
10.0.0.1 1440 hours
For HTTP Use Basic Authentication over TLS/SSL
(HTTPS), Use Digest Authentication
30 minutes
For DNS Restrict Processing of Recursive Queries
For DNS-TCP Restrict Query Access on Caching Name servers 30
minutes
Server 2008 R2, Datacenter Edition
10.0.0.24 15 minutes
Configure SMB signing for Windows
PCI-Audit Report.pdf
6. Special Thanks
Marketing Channel &
Communication Nihon Cornet Technology K.K
Presentation on 18 December 2013
JEMA(The Japan Electrical Manufactures Association)
http://www.jema-net.or.jp/English/
19th JEMA Study of group in Tokyo
26
7. Virtual Environment for Test
27
System Requirements (Minimum) Celeron 2GB, RAM 16GB, HDD 1TB, Handmade laptop PC (at my home labo)
28 exploit-20131130.pcapng
Appendix Ⅰ: Metasploit Evidence and Data capture
1 Audit Report (Highest Risk Vulnerabilities)
2 Baseline Comparison
3 Executive Overview
4 Highest Risk Vulnerabilities
5 PCI Attestation of Scan Compliance (XML)
6 PCI Audit Report (Legacy1.0 PCI Report)
7 PCI Executive Overview (Legacy 1.0 PCI Report)
8 PCI Executive Summary(RTF)
9 PCI Host Details
10 PCI Vulnerability Details
11 Policy Evaluation
12 Remediation Plan
13 Report Card
14 SANS Top 20 Report
15 SANS Top 20 Report Copy
16 Top 10 Assets by Vulnerabilities
17 Top 10 Assets by Vulnerability Risk
18 Top Remediations
19 Top Remediations with Details
20 Vulnerability Trends
29
Appendix Ⅱ: Nexpose Audit and Compliance Report