Upload
ammar-wk
View
1.544
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Technical workshop about Penetration Testing for BPPT
Citation preview
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
SECURITY PENETRATION TESTING
TEKNIS PELATIHAN KEAMANAN INFORMASI
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
AGENDA
SECURITY ASSESSMENT
VULNERABILITY ASSESSMENT
SECURITY AUDIT
PENETRATION TESTING
VA V.S PENTEST
PENTEST V.S SYSTEM AUDIT
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
AGENDA
PENETRATION TESTING
TYPE
SCOPE (AREA)
LIMITATIONS
PENETRATION TESTING
METHODOLOGIES
WELL KNOWN STANDARD
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
SECURITY ASSESSMENT
IS A WAY TO VALIDATE/CHECK THE LEVEL OF SECURITY ON EVERY ASPECT OF IT INFRASTRUCTURE.
ALSO TO ENSURE THAT NECESSARY SECURITY CONTROLS ARE INTEGRATED INTO THE DESIGN AND IMPLEMENTATION.
TO PREPARE FOR BETTER ENHANCEMENT
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
SECURITY ASSESSMENT
VULNERABILITY ASSESSMENT
A VULNERABILITY ASSESSMENT IS USUALLY CARRIED OUT BY SECURITY VULNERABILITY SCANNER APPLICATION. MOST OF THE PRODUCT TEST TYPE OF OPERATING SYSTEM, APPLICATION, PATCH LEVEL, USER ACCOUNT AND ELSE.
VULNERABILITY SCANNER IDENTIFY COMMON SECURITY CONFIGURATION MISTAKES AND COMMON ATTACK
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
SECURITY ASSESSMENT
SECURITY AUDIT
MOST PART ARE CHECKLIST-BASED (CORPORATE SECURITY POLICICES OR REGULATION STANDARDS (ISO) OR PBI)
IMPORTANT FOR BEING COMPLIED WITH SECURITY POLICIES, LEGISLATION AND STANDARDS
E.G: IS THERE ANY BACKUPS? ANTIVIRUS?
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
SECURITY ASSESSMENT
PENETRATION TESTING
IS WHEN A “HACKER” DO THE ATTACKER WORK.
THE ONLY GOAL IS TO GET AS MUCH AS POSSIBLE AND AS DEEP AS POSSIBLE TO BREAK INTO THE SYSTEM.
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
VA V.S PENTEST
VULNERABILITY ASSESSMENT IDENTIFIES THE “POSSIBLE” VULNERABILITIES (ALSO FALSE POSITIVE)
PENETRATION TESTING VALIDATES THE VULNERABILITY
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENTEST V.S SECURITY AUDITS
SECURITY AUDITS IMPORTANT FOR BEING COMPLIED WITH SECURITY POLICIES, LEGISLATION AND STANDARDS
PENTEST COMPLEMENT SYSTEM AUDITS AND HELP TO FIX SECURITY THREAT BEFORE AN ATTACKER DISCOVERS IT
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
CHECK SENSITIVE INFORMATION AVAILABLE
CHECK WHAT KIND OF PRIVILEGES PENTESTER GAIN
CHECK IF POSSIBLE TO ESCALATE PRIVILEGES
CHECK IF VULNERABILITY CAN LEAD TO MORE EXPLOITS (ANOTHER APPLICATION, SYSTEM, OR SERVER)
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
TYPE OF PENETRATION TESTING:
BLACK BOX: 0 INFORMATION ABOUT THE SYSTEM, MAYBE ONLY THE IP/DOMAIN NAME. FULL ATTACKER PERSPECTIVE
GRAY BOX: PARTIAL INFORMATION ABOUT A SYSTEM, SIMULATE ATTACK BY EMPLOYEE, VENDORS.
WHITE BOX: SIGNIFICANT INFORMATION ABOUT A SYSTEM, SOURCE CODE/CONFIGURATION REVIEW.
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
NETWORK INFRASTRUCTURE PENTEST
WIFI, VOIP, TELEPHONE
APPLICATION INFRASTRUCTURE PENTEST
WEB, MOBILE
SYSTEM INFRASTRUCTURE PENTEST
PHYSICAL SECURITY
SOCIAL ENGINEETING (PEOPLE)
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
MOST LIMITATIONS
TIME
SKILLED
ACCESS TO EQUIPMENT
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
METHODOLOGY
A GUIDELINE FOR SOLVING A PROBLEM, WITH SPECIFIC COMPONENTS SUCH AS PHASES, TASKS, METHODS, TECHNIQUES AND TOOLS
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
!
WELL KNOWN STANDARD
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
INFORMATION GATHERING : USING ALL RESOURCES (INTERNET) TO FIND ALL THE INFORMATION ABOUT TARGET, USING TECHNICAL AND NON-TEHCNICAL METHODS
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
INFORMATION GATHERING
NON TECHNICAL
SEARCH COMPANY INFO ON SOCIAL NETWORK : LINKEDIN.COM, FACEBOOK
SEARCH KEY PERSONAL ACTIVITY: ADMINISTRATOR, PROGRAMMER
GOOGLE HACKING
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
HANDS ON
INFORMATION GATHERING VIA SOCIAL NETWORK
INFORMATION GATHERING VIA GOOGLE HACKING
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
INFORMATION GATHERING
TECHNICAL
USING DIG. NSLOOKUP, WHOIS TO FIND INFORMATION
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
HANDS ON
INFORMATION GATHERING USING DIG
INFORMATION GATHERING USING WHOIS
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
NETWORK MAPPING: FOOTPRINT THE NETWORK AND RESOURCES THAT ALREADY GATHER FROM INFORMATION GATHERING. E.G: FIND LIVE HOST, PORT AND SERVICE, NETWORK PERIMETER, OS AND SERVICE FINGERPRINTING
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
NETWORK MAPPING
TOOLS: NMAP, TRACEROUTE, PING
MENCOBA NMAP, TRACEROUTE
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
HANDS ON
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
HANDS ON
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
VULNERABILITY IDENTIFICATION : IDENTIFY ALL SERVICES VULNERABILITY (BASED ON VERSION/BANNER), USING VULNERABILITY SCAN, IDENTIFY ATTACK PATH
TOOLS: NMAP, NESSUS
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
HANDS ON
NMAP -SV (DETECT OPEN PORT WITH SERVICE INFO (VERSION))
NMAP -O (DETECT POSSIBLE OS)
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
PENETRATION: TRY TO GAIN UNAUTHORIZED ACCESS BY CIRCUMVENTING THE SECURITY MEASURES TO GET ACCESS,. E.G: FIND POC, CREATE TOOLS, TESTING
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
GAINING ACCESS AND PRIVILEGES : GAINING LEAST PRIVILEGE BY DEFAULT USER OR PASSWORD, DEFAULT SETTINGS, PUBLIC SERVICES, TRY TO ESCALATE PRIVILEGES TO SUPERIOR LEVEL (ADMINISTRATOR/ROOT)
USING/CREATING EXPLOIT
OR METASPLOIT (FREE) , IMMUNITY CANVAS, CORE IMPACT
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
HANDS ON
USING METASPLOIT
USING LOCAL EXPLOIT TO GAIN HIGHER LEVEL PRIVILEGES
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
ENUMERATING FURTHER: OBTAIN PASSWORD (PASSWORD FILE (/ETC/SHADOW, SAM), USER DATABASE), SNIFFING NETWORK, MAPPING INTERNAL NETWORK
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
HANDS ON
CRACKING PASSWORD FILE
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
COMPROMISE REMOTE USERS/SITES: (IF POSSIBLE) TRY TO COMPROMISE REMOTE USER (VPN USERS) TO GET PRIVILEGE TO INTERNAL NETWORK
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
MAINTAINING ACCESS: OFTEN NOT PERFORM
COVERING TRACKS: OFTEN NOT PERFORM
SOURCE: ISSAF
AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING
VALUE IS ON THE REPORT
PENETRATION TESTING SERVICE LEVEL AGREEMENT
NON DISCLOSURE AGREEMENT
THERE ARE ALWAYS A RISK, E.G : SYSTEM DOWN/CRASH DURING PENTEST, SLOWDOWN NETWORK