bsides to 2016-penetration-testing
TRANSCRIPT
@haydnjohnson
Penetration Testing
I don’t think it means,
what you think it
means
@haydnjohnson
Whoami
Haydn Johnson -
Twitter: @haydnjohnsonFrom: Australia, Lives in TorontoTalks : http://www.slideshare.net/HaydnJohnsonCerts: OSCP | GXPN
Just shy of 4yrs Industry Experience
@haydnjohnson
Penetration Testing
- I don’t think it
means, what you
think it means
@haydnjohnson
Backstory
Multiple understandings of a VA
Multiple Understandings of a PT
Presented at BSidesLV - Automation of Pentesting
@haydnjohnson
Many definitions
Penetration Testing is a term misusedabused Exploited
To the point where it is taken out back in the rain and given a 12-gauge to the head.
@haydnjohnson
Automation of Pentesting - The Trend
Commoditization
@haydnjohnson
Pentest Puppy Mills
� Scan� Scan� Scan� Report� Make report look nice� Make report look nicer� Remove on clients request� Send
@haydnjohnson
The differences
Vulnerability Assessment List Oriented
Penetration TestingGoal Oriented
https://danielmiessler.com/study/vulnerability-assessment-penetration-test/
VULN A
VULN B
VULN C
Phishing
Local Admin
Dump Hashes
Domain Admin
@haydnjohnson
Was I correct????
Let's delve deeper
@haydnjohnson
Penetration Testing - The term
Means many things, or does it?
Are you sure?
@haydnjohnson
But Burp is a penetration Test
It attempts sqli injection.. It penetrates…
It checks for XSS.. It penetrates
id=5 order by 1
@haydnjohnson
NOT a Penetration Test
@haydnjohnson
But Nessus / Nexpose is a Penetration Test
It checks if an exploit is there..
Some checks “do” exploit..
It penetrates
@haydnjohnson
NOT a Penetration Test
@haydnjohnson
Because the title says penetration test
@haydnjohnson
So what is a penetration
test
@haydnjohnson
But you still know it's a CAT err Penetration Test
Round Square
@haydnjohnson
Where does one start
In order to understand what a Penetration Test is, we must look at some standards.
No really. A standard exists!
@haydnjohnson
There are multiple standards
Best practices - just google!
@haydnjohnson
Let us look at
The PTES standard What is in the standard Compare VA -> PT
first second third
� Will explain the key points� Compare with vulnerability assessment� Show example
@haydnjohnson
Penetration Testing Execution Standard
@haydnjohnson
Penetration Testing Execution Standard
By REAL infosec people:Chris NickersonDave KennedyCarlos PerezJohn StrandChris Gates
+ Many more
http://www.pentest-standard.org/index.php/FAQ
@haydnjohnson
The Penetration Testing Execution Standard
Main Section
� Pre-engagement Interactions� Intelligence Gathering� Threat Modeling� Vulnerability Analysis� Exploitation� Post Exploitation� Reporting
http://www.pentest-standard.org/index.php/Main_Page
@haydnjohnson
Goals of the standard
BusinessesThe goal is to enable them to demand a specific baseline of work as part of a pentest.
Service ProvidersThe goal is to provide a baseline for the kinds of activities needed.
@haydnjohnson
“The standard is written for us….anyone and everyone who’s dealing with penetration testing. It is not about a specific product, or even a specific approach or methodology for testing.”
“It is designed so that when it is adhered to, the delivery will be well above a “minimal standard”.
http://www.iamit.org/blog/2016/09/ptes-remaining-impartial-and-insisting-on-high-standards/
Pre-engagement
Time EstimationTied to experience of tester.
20% for padding
Scoping MeetingWhat will be tested
Customer owned?
Validate assumptions
General QuestionsNetwork Pentest
Web Pentest
Physical Pentest
Scope CreepWanting more covered
How to deal with
Specific IP ranges and DomainsIP blocks
Owned by client
Payment TermsUp front
Half way
End
@haydnjohnson
Pre-engagement Interactions
Rules of engagement - what can and cannot be done Scope Testing ScheduleEscalation Procedures
@haydnjohnson
Pre-engagement Interactions - Example
Pentest Form
NameContactsDatesIP Address
https://aws.amazon.com/security/penetration-testing/
@haydnjohnson
Pre-engagement Interactions VA comparison
“I need the things scanned”Overall security postureWhat do I have out there?
Intelligence Gathering
Level 1Compliance
Automated Tools
Level 2Best practice
Understanding of business
Physical location, org chart
Level 3State Sponsored
Heavy analysis,
Social Networks etc
What is itInformation gathering to be utilized to penetrate a target during vulnerability and exploitation phases.
More information, the better.
What it is notNothing found from on-premises
FootprintingScanning
IP blocks
@haydnjohnson
Intelligence Gathering - key points
Dig - axfr
Finding informationHelp identify systemsUsed as base for further steps
@haydnjohnson
Intelligence Gathering - Relationships
Business Partners
Customers
Manual Analysis to vet level 1
Shared office spaces
Shared infrastructure
Rented / Leased Equipment
1 2 3
Amazon
Reseller A
Shop B
Shop C
@haydnjohnson
Intelligence Gathering - Example
DNS Servers
@haydnjohnson
Intelligence Gathering VA comparison
Find hosts that are up and in scope…Scan
Threat Modelling
High Level ProcessGather relevant documentation
Identify & Categorize Assets
Identify & Categorize threats
Map threats against assets
Business Asset AnalysisAsset centric viewAssets most likely to be targeted
Value of assets and impact of loss
Business Process AnalysisHow it makes money
Critical vs noncritical processes
How they can be made to lose money
Threat AgentsInternal / External
Community within location
Capabilities / Motivation
Motivation ModellingConstantly changing
Increase decrease
Threat CapabilityProbability of success
Technical and opportunity
@haydnjohnson
Threat Modelling - High Level
Gather relevant documentationIdentify and categorize primary and secondary assetsIdentify and categorize threats and threat communitiesMap threat communities against primary and secondary assets
Threat Modelling - High Level
@haydnjohnson
Threat Modelling - Business Asset Analysis
Identify assets that are most likely to be targetedOrganisational Data - how the organization does businessTrade secretsInfrastructure design
**Can feed other areas - intel?
@haydnjohnson
Threat Modelling - Business Process Analysis
How the company makes money Value chains - assets and processes
@haydnjohnson
Threat Modelling - Threat Agents / Community Analysis
Relevant threats - internal & external
Internal employees motivated by outsiders??
@haydnjohnson
Threat Modelling - Threat Capability analysis
What skills do they haveHow manyTechnical & Opportunity analysis
Exploits / Payloads
@haydnjohnson
@haydnjohnson
Threat Modelling - Motivation
$$$$ Bored Activism
@haydnjohnson
Threat Modeling - Key Points
Enables the tester to focus on delivering an engagement that closely emulates the tools, techniques, capabilities, accessibility and general profile of the attacker….
Tools | Techniques | Capabilities | Access
@haydnjohnson
Threat Modelling - Example
Tofsee MalwareJavascript DownloaderPE32 executable into the %USERPROFILE% directory.SpamDelivered via RIG Exploit Kit
http://blog.talosintel.com/2016/09/tofsee-spam.htmlhttps://www.recordedfuture.com/threat-actor-types/
@haydnjohnson
Threat modeling VA comparison
Internal or External
Vulnerability Analysis
Discovering Flaws /TestingLeveraged by attackers
Host & service
Insecure design
RelevantCorrect level of depth
Expectations
Goals
PassiveHow it makes money
Meta Data Analysis
ActiveDirect Interaction
AutomatedManual
ResearchConstantly changing
Increase decrease
ValidationProbability of success
Technical and opportunity
@haydnjohnson
Vulnerability Analysis - can include
Services | BannersMultiple exit nodesIDS evasion
Need to get to the target
@haydnjohnson
Vulnerability Analysis - Example
@haydnjohnson
Vulnerability Analysis VA comparison
Primarily focused on KNOWN vulnerabilities.Network / Business Logic Not assessed.
Whitelisted | Trusted
No Evasion Needed
Exploitation
CountermeasuresEncoding
Process Injection
DEP | ASLR
EvasionPrevent detection
Physical
Network
Precision StrikeNot hail mary
Based on previous steps
Tailored ExploitsCustomize known exploit
Zero Day AngleLast resort
Fuzzing
Code Analysis
@haydnjohnson
Exploitation - Objective
Least path of resistanceUndetectedMost impactCircumventing security controls
@haydnjohnson
EASY ROAD
@haydnjohnson
Hard Road
@haydnjohnson
Biggest Impact
@haydnjohnson
Exploitation - Countermeasures
Anti-virus needs to be evadedEncoding data to hide what is being doneHiding information through process injectionMemory protection such as DEP and ASLR
@haydnjohnson
Exploitation - Precision
Previous steps usedBest vulnerabilities analyzed for exploitationMinimal disruptionsMethod to the madness
@haydnjohnson
Exploitation - Zero Days
FuzzingBuffer OverFlowsSEH OverwritesRet2Libc
@haydnjohnson
Exploitation - IS NOT THE DIFFERENCE BETWEEN A VA & PT
Exploitation can be used in a VA or a PT.
Clients may want a high risk vulnerability proven.
Exploitation is highly used in a Penetration Test - but not the definition
https://danielmiessler.com/study/vulnerability-assessment-penetration-test/
@haydnjohnson
Exploitation - Vulnerability Assessment
Validate a Vulnerability
REMOTE CODE EXECUTION A
@haydnjohnson
Exploitation - Penetration Test
Part of the JobNetworkWebCredentials
@haydnjohnson
Exploitation - Example
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jboss
@haydnjohnson
Exploitation - VA comparison
SpecificLimitedProofNo post exploitation
Post Exploitation
Rules of engagementProtecting Client
Protecting yourself
Infrastructure AnalysisRouting
Network Services
Neighbors
PillagingInstalled Programs | services
File/Printer Shares
Host configuration
Monitoring
Deep in targetIdentification of impact
Affect 1 system
Affect infrastructure
Persistence & PivotingBackdoors
Lateral Movement
Data ExfiltrationTesting
Measure controls and detection
@haydnjohnson
Post Exploitation - think like the attacker
What is in the networkWhere is the Data - customer - financial - health - Credit CardWhere is the domain admin
@haydnjohnson
Post Exploitation - think like the attacker
BackdoorsPersistenceData Exfiltration
@haydnjohnson
Post Exploitation VA comparison
Exploitation proves the vulnerability can be exploited
This does not show the business impact.
Not “how deep, real impact”
@haydnjohnson
Post Exploitation - Example
http://www.slideshare.net/HaydnJohnson/power-sploit-persistence-walkthrough
Reporting
Exec SummaryGoals of Pentest
High Level Findings
Background
Overall posture
C-Level | management
Systemic issues
Technical ReportIntroduction
Information Gathering
Vulnerability Assessment
Exploitation / Vuln Confirmation
Post Exploitation
Risk Exposure
Conclusion
@haydnjohnson
Reporting - Exec Summary
High level Background Key pointsKey impact and ratingsRecommendationsStrategic Road map
Similar to VA - But shows real impact not just Vulns
@haydnjohnson
Reporting - Technical Report
Deep Explanation of each stageStep by step of process / exploitationStep by step of Post exploitation
Similar to VA - But shows much more than a list of vulns
@haydnjohnson
Reporting - Vulnerability Analysis
Exec Summary
List of VULNERABILITIES
Ratings & Prioritization
Attack COULD exploit
@haydnjohnson
Reporting - Example
https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
@haydnjohnson
In Summary - VA
@haydnjohnson
In Summary - Exploitation
@haydnjohnson
In Summary - Penetration test
@haydnjohnson
Thank you!
Questions?Debate?
@haydnjohnson
Further Reading
Pentesting in detailhttp://www.isaca.org/chapters3/Atlanta/AboutOurChapter/Documents/GW2015/081115-10AM-Pentesting.pdf
PTES and high Standardshttp://www.iamit.org/blog/2016/09/ptes-remaining-impartial-and-insisting-on-high-standards/
Post Exploitation Blogs with Empire:https://www.powershellempire.com/?page_id=561