pentest extra 3/2011 - mobile pentesting

http://www.foundstone.com/

EDITOR’S NOTEEXTRA 03/2011 (03)

Mobile PentestingThe November issue of Pentest Extra magazine is entirely devoted to mobile pentesting. Nowadays smartphones, iPhones and other mobile devices are highly developed and in hands of a good hacker could be a powerful tool. In this issue we will try to bring you some methods of penetration testing using mobile devices.

We publish very interesting article about iPhone and iPad applications. Kunjan Shah focuses specifically on helping security professionals understand the nuances of penetration testing iPhone and iPad applications. He attempts to cover the key steps the reader would need to understand such as setting up the test environment, installing the simulator, configuring the proxy tool and decompiling applications etc. Just read the Shah’s article on page 6 to find out more.

Next one is a little intriguing. Ken Westin titled his article “Is that a phone in your pocket or are you scanning my network?” He pointed out that most phones have great potential and are well equipped with various types of applications just like computer but a mobile device can be easily hidden, which makes it a more powerful tool than a laptop. Hans-Michael Varbaek thinks very similarly. In his opinion we have entered into the next generation of penetration tests. See for yourself on pages 16 and 28.

On the front cover you can see Gary McGraw, who is a famous technologist, scientist and writer. Mr. McGraw wrote many books about software security and lately he focuses on exciting project BSIMM, which he described in detail during the interview with Aby Rao. More information can be found on page 22.

Very important thing is protection of our data. In this article Murray Goldschmidt tells you what to look for and what to change in your organisation to make it more secure. “Achieving Better Outcomes” can be found on page 34. The security problem is also significant for Milind Bhargava, who said that: It is no longer just „script kiddies” trying to break into your network. Jump to the page 42 and read his article.

In this issue we are also reviewing a great book for beginner hackers. „A beginners guide to Ethical Hacking” is a great book for both beginners and intermediate users who are interested in learning more about ethical hacking. We highly recommend and invite you to read abou it on the page 32.

At the end I would like to mention a few shorter, but still very good articles. Idan Aharoni shows you easily your credit cards can be attacked. You will find very interesting text about penetration testing on Androids by Scott Christie. And Alex Horan will try to convince you that mobile devices pose significant security risks for today’s organizations.

We hope you will find this issue of Pentest Extra interesting and useful. Thank you all for your great support and invaluable help.

Enjoy reading!Krzysztof Marczyk

Pentest Team

3EXTRA 02/2011(2) http://pentestmag.comPage

http://pentestmag.comEXTRA 03/2011(3) Page 5 http://pentestmag.comEXTRA 03/2011(3)

CONTENTSCONTENTS

MOBILE APPLICATIONSPenetration Testing For iPhone and iPad Applicationsby Kunjan Shah

This article focuses specifically on helping security professionals understand the nuances of penetration testing iPhone/iPad applications. It attempts to cover the key steps the reader would need to understand such as setting up the test environment, installing the simulator, configuring the proxy tool and decompiling applications etc. To be clear this article does not attempt to discuss the security framework of the iPhone itself, identify flaws in the IOS, or try to cover the entire application penetration testing methodology.

MOBILE PENTESTINGIs That A Phone In Your Pocket Or Are You Scanning My Network?by Ken Westin

When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network from a remotely. Companies focus most of the security spending and policies on keeping hackers from the outside in, from firewalls and other security hardening appliances, software and tools. However, given the proliferation of mobile devices in the workplace and use of Wi-Fi networks inside of an office, attacking from inside the network provides unique opportunities. Smartphones have become much more powerful over the past few years, with powerful processors and a plethora of hardware at your fingertips. Combine this power into a compact unit with the right apps you can scan a network from the inside in seconds along with several other new types of attacks and information gathering.

INTERVIEWInterview with Gary McGrawby Aby Rao

Gary McGraw is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include „Software Security”, „Exploiting Software”, „Building Secure Software”, „Java Security”, „Exploiting Online Games”, and 6 other books. He is editor of the Addison-Wesley Software Security series. Gary is the Chief Technical Officer at Cigital, Inc., a software security consulting firm with headquarters in the Washington, D.C. area and offices throughout the world.

06

16

22

TEAMEditor: Krzysztof [email protected]

Betatesters / Proofreaders: Alberto Jose Aragon Alvarez, Juan Bidini, Scott Christie, Kyle Kennedy, Aby Rao, Jeff Weaver

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa [email protected]

Art Director: Ireneusz Pogroszewski [email protected]: Ireneusz Pogroszewski

Production Director: Andrzej Kuca [email protected]

Marketing Director: Ewa [email protected]

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

http://pentestmag.comEXTRA 03/2011(3) http://pentestmag.comEXTRA 03/2011(3)

HACKING WITH MARTPHONENext Generation Penetration Testingby Hans-Michael Varbaek

Over the last couple of years, cellular phones has become increasingly more and more advanced, with more memory, processing power and file storage available. Until recently, laptops has always been the preferred choice of a mobile Penetration Testing platform, but with the smartphones available today, being faster than ever before, they are also becoming a good choice, at least for some attack vectors.

BOOK REVIEWA Beginners Guide To Ethical Hackingby Shyaam Sundhar

A beginners guide to Ethical Hacking is a great book from beginners to intermediate users who are interested in learning more about ethical hacking. Some say that there is nothing ethical about hacking. I would say that there is nothing ethical in attacking, but hacking could always be done ethically.

DATA PROTECTIONAchieving Better Outcomesby Murray Goldschmidt

Experience comes from maturity. Capability in penetration testing cannot be developed overnight. Companies with a heritage, and specialisation, in penetration testing are likely to be able to demonstrate a track record. Experience across a broad range of industries and sectors is desirable which would include an exposure to various technologies, regulatory and compliance requirements.

Getting To Know Yourself Before The Others Doby Milind Bhargava

With multi-tier network archtectures, web services, custom applications, and heterogeneous server platform environments, keeping data and information assets secure is more difficult than ever. Coupled with this added complexity is the fact that criminal organizations have organized their hacking efforts; it is no longer just „script kiddies” trying to break into your network.

PERSONAL SECURITYThe Hacker, the Merchant and the Online Heistby Idan Aharoni

The trading of compromised credit cards in the underground economy has reached epidemic proportions. As the bar to becoming an online merchant is getting ever lower, hackers find easy prey for obtaining these coveted credentials. The underground economy provides script kiddies with the tools to obtain cards, further fueling the ongoing trade.

HACKING WITH ANDROIDPen Testing From an Android Mobile Deviceby Scott Christie

Beginning with reconnaissance, the Android device can already document the target environment with still/video cameras and audio capture. Try not to look like a tourist when on a site safari. A pen tester can document a lot by leaving the device in a pocket or from a casually hanging hand.The Wifi Analyzer application will have the pen tester scanning the air for possible access points. Sometimes there is an open or rogue access point. Even if the target has no entry points, there may be other access points in the surrounding area where the target’s employees connect. If the pen tester can sniff out an access point, so can the employees, and sure enough they will attempt to connect.

MOBILE ATTACKSAre Your Devices Secure?by Alex Horan

Knowing the risks that mobile devices pose, it’s hard not to become the “no” man. I know first-hand how tempting it is to say “no” to users requesting access to corporate email and file shares on a growing number of diverse devices. There’s simply too much risk. What makes it even harder is saying “no” without being able to demonstrate how devices can expose users and organizations to risk of data theft and corruption, which certainly doesn’t help ones reputation.

CONTENTS

50

34

32

42

28

52

48

MOBILE APPLICATIONS

http://pentestmag.comEXTRA 03/2011(3)

EXTRA

Page 7 http://pentestmag.comEXTRA 03/2011(3)

EXTRA

The mobile application market is expected to reach a size of $9 billion by the end of 2011 (http://www.mgovworld.org/topstory/mobile-ap

plications-market-to-reach-9-billion-by-2011) with the growing consumer demand for smartphone applications,

including banking and trading. A plethora of companies are rushing to capture a piece of the pie by developing new applications, or porting old applications to work with the smartphones. These applications often deal with personally identifiable information (PII), credit card and other sensitive data.

This article focuses specifically on helping security professionals understand the nuances of penetration testing iPhone/iPad applications. It attempts to cover the key steps the reader would need to understand such as setting up the test environment, installing the simulator, configuring the proxy tool and decompiling

Penetration Testing

Mobile application penetration testing is an up and coming security testing need that has recently obtained more attention, with the introduction of the Android, iPhone, and iPad platforms among others.

for iPhone and iPad Applications

Figure 1. iPhone SDK Installer Figure 2. Location of all the iPhone tools installed with the SDK

http://www.mgovworld.org/topstory/mobile-applications-market-to-reach-9-billion-by-2011

http://www.mgovworld.org/topstory/mobile-applications-market-to-reach-9-billion-by-2011

MOBILE APPLICATIONS


EXTRA


��

AppSecAppSec�� Labs

� ��

��

��

��

the application does not use such libraries, then Clang should be used. Static Analysis technique could be leveraged to uncover issues such as memory leaks, uninitialized variables, dead code, type mismatch, buffer overflows etc. This could be done using Xcode if source code of the application is available. The static analyzer travels down each possible code path, identifying logical errors such as memory leaks. This could be performed using the Build > Build Analyze menu option as shown in the Figure 14 and Figure 15.

Dynamic AnalysisDynamic Analysis refers to the technique of assessing applications during the execution. There are several tools that are provided by Apple for this purpose. The two main tools that we will be discussing in this article are Instruments and Shark. You can find detailed description of these and other tools here (http://developer.apple.com/iphone/library/documentation/Performance/Conceptual/PerformanceOverview/PerformanceTools/PerformanceTools.html).

InstrumentsThe Instruments tool was introduced in Mac OS X v10.5. It provides a set of powerful tools to assess the runtime behavior of the application. This tool could be compared with the several sysinternal (http://technet.microsoft.com/en-us/sysinternals/default.aspx) tools used for thick client testing on the windows platform such as diskmon, procmon, netmon etc. It could be

Figure 16. Shows use of different instruments

Figure 15. Displays results from the analyzer

http://developer.apple.com/iphone/library/documentation/Performance/Conceptual/PerformanceOverview/PerformanceTools/PerformanceTools.html




http://technet.microsoft.com/en-us/sysinternals/default.aspx

http://technet.microsoft.com/en-us/sysinternals/default.aspx

http://appsec-labs.com/

http://mile2.com/

MOBILE PENTESTING


EXTRA


EXTRA

However, given the proliferation of mobile devices in the workplace and use of Wi-Fi networks inside of an office, attacking from inside the

network provides unique opportunities. Smartphones have become much more powerful over the past few years, with powerful processors and a plethora of hardware at your fingertips. Combine this power into a compact unit with the right apps you can scan a network from the inside in seconds along with several other new types of attacks and information gathering.

Mobile devices have accelerated productivity as they move to replace many of the other devices we used to carry in a small package. Most phones have Wi-Fi capability, cameras, mass storage capability and a persistent internet connection via 3G and 4G and allow a wide number of applications and if rooted provide many of the same tools as a computer, but with more hardware and network capabilities. These conveniences also carry over to make them an very powerful tool to use in penetration tests, more powerful I would argue than a laptop, as a mobile device can be easily hidden on your person, or inside of an office building.

Most organizations spend a great deal of money and time focusing on protecting their networks form outside threats, making sure the hackers outside cannot get in. However, security inside the network is generally lacking, both physical security and network security. Security is generally more relaxed inside an office because of the

Is That A Phone In Your Pocket When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network from a remotely. Companies focus most of the security spending and policies on keeping hackers from the outside in, from firewalls and other security hardening appliances, software and tools.

Or Are You Scanning My Network?

Figure 1. Ordinary cell phone can be a powerful tool

INTERVIEW


EXTRA


EXTRA

You have a tremendous amount of expertise in Software Security, now that software is transforming into web applications, thanks to Cloud Computing, what are some of the new challenges Web applications faced compared to traditional software applications?Gary McGraw: I think cloud computing certainly adds a new wrinkle into the software security problem. But I don’t think it adds the wrinkle only through web applications. And in fact, at least in North America one of the problems in software security is an over focus on web applications, where people come to think that the only problems in software security have to do with cross-site scripting and cross-site request forgery and so on. When in fact there are a lot more interesting kinds of software security problems, that happen all over the place. Now turning to cloud, the issue with cloud is interesting, because a lot of small and medium-

sized businesses are going to end up with the better security situation from an operational perspective, if they make use of cloud services from big organizations that know what they are doing, for example Amazon, or Google, or Microsoft. That is Amazon, Google, and Microsoft can run servers a lot better than most small and medium-sized businesses can, and they will run them in a more secure fashion. The problem is when these businesses build applications on top of the cloud services – they are going to mess things up from a security perspective. And so I think that cloud really opens up this notion of distributed applications and the importance of building distributed applications in a secure fashion. We’ve already seen a lot of talk about this especially from the cloud providers who know that they’re kind of leaving their customers with a lot of risk, if they allow them to design and build their own applications in the cloud. I think it’s going to be a

Interview with

Gary McGraw

Gary McGraw is a globally recognized authority on software security and the author of eight bestselling books on this topic. His titles include „Software Security”, „Exploiting Software”, „Building Secure Software”, „Java Security”, „Exploiting Online Games”, and 6 other books. He is editor of the Addison-Wesley Software Security series. Gary is the Chief Technical Officer at Cigital, Inc., a software security consulting �rm with headquarters in the Washington, D.C. area and offices throughout the world.

http://webist.org/

http://closer.scitevents.org/

HACKING WITH SMARTPHONE


EXTRA


EXTRA

The primary reason for using a cellular device over a laptop is mainly because almost every person in the world owns one, making it a

common device seen in the daily life. Many people own stationary and mobile computers too, but these are larger and might therefore raise suspicion, compared to a person appearing to be sending text messages or making a call.

A smartphone is generally not seen as an object that could potentially be dangerous yet, compared to a laptop which looks more like a real computer, even though a lot of smartphones can do just as much damage now in the same amount of time a laptop can. There are however, other pros and cons in using a smartphone, where some of these are screen size, battery life, ease of use, and level of suspicion.

One particular thing that makes smartphones a bad choice is customized penetration testing, where a lot of fuzzing and exploit development is being done. This may require reading through hundreds lines of code, writing long scripts, extensive testing, where a mobile (laptop) or stationary computer is generally more suited for this type of task.

What Makes A Smartphone The Perfect Mobile Device Then?The best example would be a wireless network that is only reachable, very close to a building where the

target company is based. Long range antennas could be used, but sitting in a car or walking around outside with a laptop including a large antenna, will definitely raise suspicion and may alert the target company. In some countries the legal authorities will actually stop people, if they are seen with this type of equipment, due to the paranoia about hackers and poor wireless implementation.

Walking around with a smartphone on the other hand, is a common sight that is not even seen as a potential threat, making it easier in some cases to perform reconnaissance and possible exploitation of a target network, either open or encrypted.

If a person is taking pictures with the smartphone though, this may actually raise suspicion as it is not

Next Generation Penetration TestingOver the last couple of years, cellular phones has become increasingly more and more advanced, with more memory, processing power and file storage available. Until recently, laptops has always been the preferred choice of a mobile Penetration Testing platform, but with the smartphones available today, being faster than ever before, they are also becoming a good choice, at least for some attack vectors.

Figure 1. NeoPwn Control Panel

Page

http://www.sans.org/

DATA PROTECTION


EXTRA


EXTRA

Cloud computing and mobility solutions are quickly becoming a fundamental part of information technology. Traditional networks

have also been evolving to accommodate changes across a broad spectrum; from wireless networks to Voice over IP (VoIP) telephony, and integrations to payment gateways to settle financial transactions. The perimeter of the network is no longer defined. The internal network is not secure. What was once an internal application, and thought to be secured from harm by perimeter security controls, may now be exposed to the internet and accessible online. The mobility and cloud computing revolution will only exacerbate the rate at which internal systems become publicly accessible.

Along with great benefits associated with developments in technology, risks follow because complex environments are never immune to security flaws. As the internet population grows at an exponential rate, there is an incredibly large pool of (miscreant) talent looking for opportunities to identify vulnerabilities to exploit.

Accordingly, organisations are faced with the task of ensuring that their information security management capability is robust, comprehensive and able to meet the ongoing demands of compliance and regulation. And to do this, organisations need to adopt a risk and data centric approach to security rather than looking

at systems in isolation. In particular, it should be clear what is being protected, and the implication of a security breach. Many organisations struggle to identify what there sensitive data is, where it is and who has access to it. Along with a number of activities in the information security management lifecycle, penetration testing plays a vital role.

Penetration Testing – What is it?Penetration Testing includes a series of activities (see Methodology in Section Methodology) with the objective of determining the current technical security posture.

The effectiveness of protective controls is evaluated, which can in turn be used to deduce the effectiveness of detective and responsive controls. Furthermore, this testing can identify opportunities for improvement in information security governance.

For example, the findings may identify areas in application development where security was lacking or possibly where inadequate diligence in change management has resulted in insecure settings being enabled on systems which may have resulted in, or contributed to, a compromise.

Why do it?„Foolproof systems don’t take into account the

ingenuity of fools.” – Gene Brown.

Society’s reliance on information technology has been increasing over time. The market is demanding instant access to data and the ability to interact. As supply must meet demand, organisations that wish to participate with market dynamics have seen rapid changes to the profile of their networks and applications (systems).

Achieving Better Outcomes

HackingFinancials.

of

TheftData.of

Sense of SecurityCompliance, Protection

and

[email protected]

At Sense of Security, Information Security and Risk Management is our only business. Our consultants

are experts in their fields; our specialists are always ahead of the curve.

By engaging Sense of Security, our clients ensure they are protected, their information is safe from

threats from both within and outside the organisation, they meet their regulatory requirements and

their employees, partners and suppliers can conduct business in complete confidence.

http://www.senseofsecurity.com.au/

DATA PROTECTION


EXTRA


EXTRA

In the past several years, it has become apparent that there is real money to be made from criminal hacking, and identity theft is one of the world’s

fastest growing problems.Although there are many ways to secure systems and

applications, the only way to truly know how secure you are is to test yourself. By performing penetration tests against your environment, you can actually replicate the types of actions that a malicious attacker would take, giving you a more accurate representation of your security posture at any given time. Although most penetration testing methods have traditionally been somewhat ad-hoc, that has changed in the last several years. Robust, repeatable testing methodologies now exist, and high quality commercial tools can be implemented to ensure that both testing parameters and results are high-quality and trustworthy.

What is Pen-Testing?Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. If the focus is on computer resources, then examples of a successful penetration would be obtaining or subverting confidential documents, pricelists, databases and other protected information.

The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have

permission from the owner of the computing resources that are being tested and will be responsible to provide a report. The goal of a penetration test is to increase the security of the computing resources being tested.

In many cases, a penetration tester will be given user-level access and in those cases, the goal would be to elevate the status of the account or user other means to gain access to additional information that a user of that level should not have access to.

Some penetration testers are contracted to find one hole, but in many cases, they are expected to keep looking past the first hole so that additional vulnerabilities can be identified and fixed. It is important for the pen-tester to keep detailed notes about how the tests were done so that the results can be verified and so that any issues that were uncovered can be resolved.

It’s important to understand that it is very unlikely that a pen-tester will find all the security issues. As an example, if a penetration test was done yesterday, the organization may pass the test. However, if today is Microsoft’s patch Tuesday and now there’s a brand new vulnerability in some Exchange mail servers that were previously considered secure, and next month it will be something else. Maintaining a secure network requires constant vigilance.

Pen-Testing vs. Vulnerability AssessmentThe main focus of this article is penetration testing but there is often some confusion between penetration

Getting To Know

With multi-tier network architectures, web services, custom applications, and heterogeneous server platform environments, keeping data and information assets secure is more difficult than ever. Coupled with this added complexity is the fact that criminal organizations have organized their hacking efforts; it is no longer just “script kiddies” trying to break into your network.

Yourself Before The Others Do

http://www.toucan-system.com/

PERSONAL SECURITY


EXTRA


On April 2010, Palo Alto-based start-up Blippy, which allows its users to share their credit card transactions, came under scrutiny

when Mashable revealed that it allowed Google to index transactions of four members, with full credit card details. The Internet stirred of the controversy, and Blippy published an apology on their blog. The unauthorized publication of credit card details and other personal identifiable information should never be taken lightly, and any organization that does so should be held accountable. What was interesting, however, was the reaction that came about from the publication of just four credit cards. After all, MILLIONS of stolen credit cards are being traded in online underground communities every day. In fact, there is such an ample supply of stolen cards that the basic credentials (which include more data than was leaked in the Blippy case) are being offered for sale for around $1.50 each, with prices going even lower for those who purchase in bulk.

Even the more sophisticated credit card records are in ample supply. In the TJ Maxx compromise alone 45.7 million credit and debit cards were stolen, and TJ Maxx wasn’t the only organization to get compromised. However, obtaining such credentials requires a highly sophisticated hacker, such as Albert Gonzalez, an ex-informant for the United States Secret Service who was later associated with the TJ Maxx and Heartland data breaches. Obtaining the most basic type of credit

card records, CVV2s in fraudster terminology, is a script kiddie’s play. These records, which include the victim’s name, address, card number, expiration date and CVV2, are obtained from compromised online merchants, or “shopadmins” in fraudster terminology.

Many online merchants, mostly the smaller ones, use off-the-shelf shopping cart software (the backend system) and not something custom-made. As with any software, vulnerabilities are uncovered over time, which get patched with every update that comes out. However, small merchants are often less savvy about security and likely believe they are not a lucrative target for the cybercrime trade. Therefore, it is often not a priority for them to perform basic security measures such as implementing updates offered by the shopping cart software vendor.

Script kiddies, following tutorials found in underground forums, search for certain keywords in search engines to identify merchants using certain shopping cart software brands that have known vulnerabilities. Then all it takes is to go through the search results, find a merchant that uses the shopping cart software version with the vulnerability, and follow the next steps to exploit it – gaining administrative access to the store. Once logged in as an administrator, the attackers copy the transaction history, which include the billing information of the store’s customers. Once the attackers ravage through the customer data, they either continue to tap

The Hacker,

The trading of compromised credit cards in the underground economy has reached epidemic proportions. As the bar to becoming an online merchant is getting ever lower, hackers find easy prey for obtaining these coveted credentials. The underground economy provides script kiddies with the tools to obtain cards, further fueling the ongoing trade.

the Merchant and the Online Heist

HACKING WITH ANDROID


EXTRA


Beginning with reconnaissance, the Android device can already document the target environment with still/video cameras and audio

capture. Try not to look like a tourist when on a site safari. A pen tester can document a lot by leaving the device in a pocket or from a casually hanging hand.

The Wifi Analyzer application will have the pen tester scanning the air for possible access points. Sometimes there is an open or rogue access point. Even if the target has no entry points, there may be other access points in the surrounding area where the target’s employees connect. If the pen tester can sniff out an access point, so can the employees, and sure enough they will attempt to connect.

Enumeration and ScanningShould the pen tester gain entry to a network, they can begin enumeration and scanning. Network mapping applications, such as Network Discovery, show what else is on the network, while port scanners can begin identifying devices and possible ports of entry. Network traffic sniffers like Shark for Root monitor and record network traffic for evaluation on-site or back at the lab.

If the Pen tester is still on the outside of the network, or focusing on an external or web app test, Tenable offers a client for Android to control a remote Nessus scanner.

While the scanner itself is not on the device, the pen tester can start scans and review reports remotely on the Android device. The pen tester can also lure the target’s employees to a faux-Wi-Fi hotspot by using a tethering tool such as Quick Settings and configuring the SSID to Free Airport WIFI, Coffee House WIFI, or the similar. When employees connect looking for a non-work network, monitor the traffic just as you would on the target’s internal network. Utilize the network sniffers or session hijack tools like DroidSheep to collect more information about the employees of the target.

ExploitationWhen the pen tester is ready to dig a little deeper and begin exploitation, Telnet apps and shell apps like ConnectBot, are a good place to start. If a pen tester really wants to go to town from the Android OS mobile device, Android Network Toolkit (Anti) from Zimperium will do everything from monitoring to exploiting targets.

PreventionIf a penetration tester can gain access and exploit vulnerabilities to a network, so can people of malicious intent. Safeguards must should be in place to protect networks and systems from the tools and techniques mentioned.

Pen Testing

Android OS devices are now powerful enough to become useful in penetration testing. While laptops, desktops, and home labs will provide the power to fully evaluate a client, Android devices offer portability and a low profile useful to pen testers. There are even versions of BackTrack Linux rolling out to mobile devices. Such devices, and a very active developer community, add to pen tester’s tool kit and/or become a security officer’s woe.

From an Android Mobile Device

This is not a guide on using software packages. For further how-to’s please visit the developer’s website(s). Also, some of the mentioned apps may require a rooted device. Modify your device’s OS at your own risk.

MOBILE ATTACKS


EXTRA


As a security professional, it’s my job to know – not guess – the exact risks that devices pose to an organization’s network. I’m in a constant

race to help others understand mobile device security risks before it’s too late. In my experience, the easiest way to demonstrate risk is to show just how easy it is to actually exploit and extract data from devices with others looking over my shoulder.

Hackers Target Mobile DevicesIt’s no surprise that mobile devices are an attractive target for hackers. They are powerful little computers that encourage users to store important data and information locally and on apps. Unfortunately, many users make the mistake of thinking that their devices are secure simply because they don’t have wires coming out of them.

Knowing the risks that mobile devices pose, it’s hard not to become the no man. I know first-hand how tempting it is to say no to users requesting access to corporate email and file shares on a growing number of diverse devices. There’s simply too much risk. What makes it even harder is saying no without being able to demonstrate how devices can expose users and organizations to risk of data theft and corruption, which certainly doesn’t help ones reputation.

And let’s face it, reputation counts. I love the IT Crowd as much as the next guy, but I want to be seen as a

business enabler. I have spent a lot of time proving to business executives that baking security into initiatives early can lead to a smoother project. Not security for the sake of it, but security that helps ensure the system is more stable and reliant. I don’t want to ruin the result of the hard work to understand the critical goals of the business groups just to turn around and say no to every mobile request that comes in.

Criteria for Testing Mobile DevicesI’ve gotten smart about mobile device security and I’ve established criteria by which the security of any mobile device can be physically tested. This isn’t a paper exercise, but an actual attempt to break into devices and extract data.

The fun part is performing tests in front of device owners. Nothing says permission to exploit like having them click on the link!

The criteria can be boiled down to two categories:

• How easily is the business able to control the device and the data on it?

• How easily is an attacker able to control the device and the data on it?

Business control is fairly straight forward. If an organization can’t remotely configure, update or wipe the device, then it is in trouble.

Mobile devices pose significant security risks for today’s organizations. Don’t believe me? In the past six months alone, I have exploited and extracted data from iPhones and iPads a few hundred times.

Are Your Devices Secure?

In the next issue of

If you would like to contact PenTest team, just send an email to [email protected] or [email protected] . We will reply a.s.a.p.

Physical Security Access Controls

Available to download on December 15th

Soon in Pentest!• Physical pentesting• Network pentesting• What is physical security?• Implementing Security Access Control

and more...

EXTRA

http://www.naisg.org/

pentest extra 3/2011 - mobile pentesting

Documents