friendly hacking penetration testing vs. hacking kamil golombek [email protected]...
TRANSCRIPT
Friendly hacking
Penetration testing vs. hacking
Kamil Golombek
[email protected] Tel. +420 241 046 279
Personal experiences
Definitions and dividing
Similarities and differences
Skills and mentality
Methodology and tools
Agenda
Definitions Penetration testing
– tries to replicate a real attack– goes as deep as possible– it’s not comprehensive (doesn’t enumerate all
vulnerabilities– it’s usually but not always done from outside– it’s not “just” a combinations of several vulnerabilities
scan tools reports – maybe not so strong, but very intelligent
Vulnerability scanning– doesn’t go as far as pentesting– but enumerate all possible known bugs and holes– not very intelligent but strong
Types of security tests
NIST Computer Security Division :– network mapping (survey and scanning)– vulnerability scanning (network and host scanners)– penetration testing (blue / red team, “manual work”)– security tests & evaluation (finding mistakes in design ...) – password cracking (e.g. can be used during pentests)– log review (system works as intended)– integrity checkers (implementation at start)– virus detection (old is none)– war dialing (rogue modems etc.)
Pros and cons of security tests
Type Pros Cons
Network mapping Very quick and easy Doesn’t find vulnerabilities, more often it’s the first phase of other tests.
Vulnerability scanning Quite quick, many good automated tools, wide range
Only known bugs, many “false positives”, doesn’t go under cover
Penetration testing Hacker tools and methods, shows real danger, goes deeply.
Very exhausting in time, skills and knowledge. Quite expensive.
ComparisonHacker vs. pen-tester
• Is pentesting a kind of “black art”?
• Who is the real hacker / pentester?
• “Wanna be” hackers / pentesters?
• Who is more dangerous?
• How can you find the real one?
Who is the real one?First – tier hackers
Best programmers and experts. They have a deep understanding of IP protocols and used OS and programming languages. They are able to find new holes or vulnerabilities and to create their own code. They usually don’t seek publicity, but they are known because many others use their hacking utilities.
Second - tier hackersHave a technical skill level equivalent to system or network administrators. They usually know several OS, know how to use some exploits and have some knowledge of programming language. They are much more common than first – tier hackers and they often rely on them.
Third –tier hacker (also script kiddies or “lamers”)Most populated but also the least respected group. The main principle they use is “download and try”. They usually don’t understand consequences and because they often use untested scripts against real networks, they can cause big problems. Their knowledge about IT is usually quite low, but what they lack (or lose) in skills they gain in motivation, free time etc. If they are successful, they think they are “elite”.
Usual (or minimal?) level of pentester?
• Skills, knowledge and experience should be at least similar to the second tier hackers.
• If he (she?) is better, that’s good but it’s more an exception than a rule.
• Plus– good reputation and no criminal record– patience and methodology (to find all holes, to
document ongoing tests, etc.)– presentation skills (?) and ability to close discovered
holes (if required)
Skills and mentality
Good skills and knowledge are necessary but not sufficient conditions!
You have to think like hacker but behave like professional!
Go beyond limits and use of your knowledge in different way is an attitude!
Methodology and tools
• Before you begin ...
• Classical phases of tests (hacks?)
• Obligations in execution of tests
• Basic categories of tools
Classical phases of tests
• General methodology (from outside)– Reconnaissance (get know as much as possible)– Vulnerability analysis (“low hanging fruit”, other ways)– Gaining access (trying of concrete attacks and methods,
escalation of privileges)
• Basic phases of “attack”– Reconnaissance (IP, DNS, mail servers, organization info, etc)– Scanning (ports, services, SW, known vulnerabilities)– Gaining access (exploits, scripts, hacker tools ...)– Maintaining access (Trojan horses – application, traditional,
kernel)– Covering tracks (hiding in OS, cover channels, wiping audit
logs)
Obligations in execution of tests
• Hacker– doesn’t have to follow our “test order”– needs to find and use only one hole– can have some trouble with covering tracks
• Pen-tester– must have methodology to test as much as
possible– except of having it he has to follow it too – tries to find theoretically all holes but can have
problems to prove it
Basic categories of tools
• Reconnaissance• War dialing• OS and Application
identification• Network services testing• Port scanning• Vulnerability scanning• NULL session tools• Session manipulation• FW, Router, ACL testing
• Forensic analysis• Password cracking• DoS• Log review• Packet forgery• Sniffing• IDS testing• WWW testing• ..... some more.
Personal experiences
• Relatively low level of security awareness– 95% of blue tests
• Impossible requirements on pentesters– „within one afternoon “– if you won’t finish as a “root”, your test were bad
• “Smart” handling with test results– final report is just “dust collector”– „it’s just a potential hole, you “can’t” prove it “– “it’s not a complete manual how to do from my messy IS a COSMIC
TOP SECRET system”
• Bad inner communication in organization– security officer or manager makes an order of pentests, but sometimes
forgets to announce it to the IT stuff of organization (diversion actions and aggressive attitude follow up very quickly)
ConclusionDo you need penetration tests?
– Penetration testing is for organizations with a strong security program.
– Don’t waste your money with pentests if you even don’t do regular vulnerability testing alone.
Do we need pentesters?– Vulnerability scanning IS NOT a penetration testing– To be up-to-date with an underground is a full time job – No vulnerability scanner does hack you system!
• Is it important to know basics of security testing?
Hack’em all!