All rights reserved
All rights reserved
All rights reserved
Advisor for information security
Expert for the implementation of security processes and policies
(ISO 27001, BS 25999, GSHB)
Leading company for technical security audits
Specialist for web application security according to ONR 17700
Independent of product manufacturers
Our customers are public authorities, financial institutions and
insurance companies in Central Europe
Sectoral orientation (defence, public, finance, industry)
SEC Consult – Who we are
3

All rights reserved
All rights reserved
All rights reserved
4
ISO/IEC 27001 Certificate
entire company within certification scope
certified since 16.01.2008

All rights reserved
All rights reserved
All rights reserved
5
SEC Consult Vulnerability Lab
European leading research lab for
the identification of
vulnerabilities and the analysis of
new technologies, products and
applications (security advisories)
Integral part of the education and
the further training of the security
experts at SEC Consult
Early information of our
customers due to SEC Consult
security alerts
Support of well-known manufacturers
to enhance the security of their
products
Companies and organisations SEC Consult has released security advisories for
(excerpt). For details see: http://www.sec-consult.com/72.html

All rights reserved
All rights reserved
All rights reserved
6
Who am I ? (Professional)
Pichaya Morimoto
IT Security Consultant
Certifications:
• Offensive Security Certified
Professional (OSCP)
• GIAC Web Application
Penetration Tester (GWAPT)
• Certified Ethical Hacker (CEH)
• CompTIA Security+
Published Security Advisories:
• 2014
- Privilege Escalation in Snort pfSense Package
- Wordpress TimThumb 2.8.13 WebShot RCE
- HybridAuth install.php PHP RCE
• 2015
- PHP MoAdmin 1.1.2 RCE
- Schedule Facebook Posts 1.5.6 SQL Injection
- Lime Survey Multiple Critical Vulnerabilities
• 2016
- Yeager CMS Multiple Critical Vulnerabilities
- ASUS DSL-N55U router Multiple Vulnerabilities
- LINE platform Multiple Vulnerabilities
• 2017
- Aruba AirWave 8.2.3 External Entity Injection

All rights reserved
All rights reserved
All rights reserved
7
Who am I ? (Personal)
Co-administrator of สอนแฮกเว็บแบบแมว ๆ *Former* CTF Player of Pwnladin Team
Co-administrator of 2600 Thailand Security Addict
http://thehackernews.com/2014/06/zero-day-timthumb-webshot-vulnerability.html

All rights reserved
All rights reserved
All rights reserved
8
OWASP Thailand
Meeting 3/2014
Topic: SQL Injection 101 :
It is not just about ' or '1'='1
OWASP Thailand
Meeting 5/2015
Topic: SQLi + Secure
Coding with Hands-on
OWASP Thailand
Meeting 7/2016
Topic: Security
Misconfiguration
OWASP Thailand
Meeting 2/2017
Topic: OWASP Top Ten
Proactive Controls 2016
….

All rights reserved
All rights reserved
All rights reserved
9
• Bug Bounty hunter
• Occasionally, kill bugs for free
Metasploit modules:
• exploit/multi/http/phpmoadmin_exec
• exploit/unix/webapp/hybridauth_install
_php_exec
• auxiliary/admin/http/limesurvey_file_
download
and a lot more private exploit
research and developments : )

All rights reserved
All rights reserved
All rights reserved
10
Special Contributor in LINE Security Bug Bounty Program
• https://bugbounty.linecorp.com/en/halloffame/ (2017)
• https://bugbounty.linecorp.com/en/halloffame/2016/ (2016)

All rights reserved
All rights reserved
All rights reserved
11
Today’s Objective
1. Introduction to Penetration Testing
• What is Penetration Testing ?
• Importance of Penetration Testing
• Risk, Vulnerability and Exploit
2. Understand the difference between types of security testing
• Vulnerability Assessment (VA)
• Penetration Testing
• Blackbox, whitebox and greybox
3. A quick glance at Penetration Testing methodologies
• Public guidelines
• Major activities in Penetration Testing phases
• Pre-engagement
• Engagement
• Post-engagement
4. Basic steps for attacking a target system
• Case studies

All rights reserved
All rights reserved
All rights reserved
12
Notice
The information provided in this presentation is collected from publicly
available websites and online documents.
SEC Consult have improved version of these methodologies
but it cannot be presented here due to confidentiality of our business.

All rights reserved
All rights reserved
All rights reserved
13
What is Penetration Testing? (also called Pentest)
Penetration Testing
“an authorized simulated attack on a computer system
that looks for security weaknesses, potentially
gaining access to the system's features and data.”
https://en.wikipedia.org/wiki/Penetration_test
Goal
To increase the security of the system (= network,
- application) being tested.

All rights reserved
All rights reserved
All rights reserved
14
Attack on a Computer System!
Gain access to restricted resources
• Unauthorized access to restricted data
• Cross-tenant data access between users
• From application user to administrator
• From application user to local OS user/administrator
• Break into hosts in an internal network
Identify security misconfigurations and insecure implementation
• Insecure configuration of system services and applications
• Bypass security constraints (login, OTP, access control, payment etc.)
• Missing security patches
Privacy
You need to think like the bad guys.

All rights reserved
All rights reserved
All rights reserved
15
OWASP Top 10 (WebApp)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
(Release Candidate)

All rights reserved
All rights reserved
All rights reserved
16
Pentest a Website: The Outcome
Sample list of vulnerabilities:
• SQL injection
• Broken access control
• Bypass OTP verification
• User denial of service
• Improper use of encryption
• Stored cross-site scripting
• XML external entity injection
• Upload of arbitrary files
• Remote code execution

All rights reserved
All rights reserved
All rights reserved
Vulnerability in Standard Software
17
http://www.securityweek.com/aruba-patches-vulnerabilities-airwave-product
• Found during an internal audit
• Managed to read credentials of all APs
• Notified the vendor to fix security flaw
• Helps protect thousand of users from
cyber attacks

All rights reserved
All rights reserved
All rights reserved
18
Risk, Vulnerability and Exploit
Risk
Vulnerability
• SQL injection, cross-site scripting …
• Missing function level access control
• Insufficient network segmentation
Exploit An attempt to verify the risk by attacking
the identified vulnerability
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

All rights reserved
All rights reserved
All rights reserved
19
Sample Exploit Code
<< EternalBlue exploit
Blind SQL injection exploit >>

All rights reserved
All rights reserved
All rights reserved
20
Importance of Penetration Testing
• Identify vulnerabilities and security misconfigurations
• Measure the effectiveness of the existing security controls
• Identify gaps in compliance (ISO 27001, PCI DSS etc.)
• A requirement from customer, partner or company’s HQ
PCI DSS v3.2, Requirement 11.3
Requirement 11.3.1: Conduct external penetration testing at least annually or
after any significant change has occurred in organization’s environment
Requirement 11.3.2: Conduct internal penetration testing at least annually or
after any significant change has occurred in organization’s environment
Requirement 11.3.3: Exploitable vulnerabilities identified during testing shall be
corrected and testing shall be repeated to verify corrections
Requirement 11.3.4: Perform network segmentation testing to validate
if segmentation controls and methods are effective and operational

All rights reserved
All rights reserved
All rights reserved
21
Who should conduct Pentest for your system?
Someone within the company that uses the system
• IT support, network / system engineer
• Programmer, software tester
Hire IT security specialist into the company
• Security engineer
• Penetration tester
External security consultant firms
• Penetration tester
• SEC Consult (｡◕‿◕｡)
PCI DSS Penetration Testing Guidance:
Qualified internal resources or a qualified third party may perform the penetration test
as long as they are organizationally independent. This means the penetration tester
must be organizationally separate from the management of the target systems.

All rights reserved
All rights reserved
All rights reserved
22
My Experience on Security Certificates

All rights reserved
All rights reserved
All rights reserved
23
Checkpoint #1
ü What is Penetration Testing? (also called Pentest)
ü Attack on a Computer System!
ü OWASP Top 10 (WebApp)
ü Pentest a Website: The Outcome
ü Vulnerability in Standard Software
ü Risk, Vulnerability and Exploit
ü Sample Exploit Code
ü Importance of Penetration Testing
ü Who should conduct Pentest for
your system?
ü My Experience on Security Certificates

All rights reserved
All rights reserved
All rights reserved
24
I want a Pentest
https://twitter.com/coffeetocode/status/794593057282859008

All rights reserved
All rights reserved
All rights reserved
25
Vulnerability Assessment (VA)
Network VA scanners
• Nexpose
• Nessus
• Qualys
WebApp VA scanners
• Acunetix
• IBM AppScan
• HP WebInspect

All rights reserved
All rights reserved
All rights reserved
26
Types of Penetration Testing
Blackbox Pentest
• IP in the scope
Greybox Pentest
• App user, VPN user
• User manual
Whitebox Pentest
• Source code
• SSH and/or RDP access
• Network diagram
• Detailed documents

All rights reserved
All rights reserved
All rights reserved
27
Blackbox Pentest in Action
Hack Me Please.

All rights reserved
All rights reserved
All rights reserved
28
Methodologies and Standards
• OWASP Testing Guide ***
• Open Source Security Testing Methodology Manual (OSSTMM)
• Penetration Testing Execution Standard (PTES)
• PCI DSS Penetration Testing Guidance ***
• NIST Guideline on Network Security Testing (special publ. 800-42)
• NIST SP800-115 : Technical Guide to Information Security Testing
and Assessment (NIST Special Publication 800-115)
• OWASP Top Ten (Wep App / Mobile App) ***
• CWE/SANS Top 25 Most dangerous software errors ***
• Durchfuehrungskonzept fuer Penetrationstests (BSI - Germany)
• ÖNORM A 7700 (standard for webapp security in Austria)

All rights reserved
All rights reserved
All rights reserved
29
Checkpoint #2
ü I want a Pentest
ü Vulnerability Assessment (VA)
ü Types of Penetration Testing
ü Blackbox Pentest in Action
ü Methodologies and Standards

All rights reserved
All rights reserved
All rights reserved
30
Activities in a Penetration Testing Project
1) Pre-engagement
2) Engagement
3) Post-engagement
• Schedule
• Scoping
• Rules of engagement
• Formal permission
• Contract points
• Penetration Testing
• Reporting
• Remediation
• Retesting identified vulnerabilities
• Cleaning up the Environment

All rights reserved
All rights reserved
All rights reserved
31
Pre-engagement: The Boring Stuff
• Scoping
• Success Criteria
• Target systems
• Documentation
• User credentials
• Network diagram
• Formal permission to attack
• Identified vulnerabilities in the past
• Rules of engagement
• Schedule, time window
• Method of communication
• Contact points
• Disable IPS, WAF?
• How to handle sensitive data?
• Systems that may have issues with security scanners?
• List of all IP addresses from which testing will originate?

All rights reserved
All rights reserved
All rights reserved
32
Engagement: The Five Phases of Hacking
1. Reconnaissance
• Passive info. gathering
2. Scanning
• Active info. gathering
• Host discovery
• Port scan
• VA scan
3. Gaining Access
• Exploit the vulnerability
4. Maintaining Access
5. Covering Tracks

All rights reserved
All rights reserved
All rights reserved
33
Engagement: Reconnaissance (Passive)
Passive information gathering:
• The information obtained from the customer
• Open source intelligence (OSINT)
• Company websites
• Search engine (Google, Bing)
• Social media (Facebook, Twitter, Linkedin)
• Qualification in recruitment sites (jobsdb)
• Software vendor
• Web footer, HTML comments, credit in CSS/JS files
• Metadata from publicly available files
• DOC, XLT, PDF, JPG
• Email, email headers
• Physical locations, list of employees
• The customer in news

All rights reserved
All rights reserved
All rights reserved
34

All rights reserved
All rights reserved
All rights reserved
35

All rights reserved
All rights reserved
All rights reserved
36
Engagement: Scanning (Active)
Automated tools or manual:
• Interact with the system
• Host discovery (nmap)
• Port scan (nmap)
• Network sniffing (Wireshark)
• Social engineering (phone call, phishing email)
• Vulnerability scan (Nessus, Nexpose)
On-site information gathering:
• Physical security inspections
• Wireless scanning
• Accessible facilities
• Dumpster driving
• Types of equipment in use

All rights reserved
All rights reserved
All rights reserved
37
$ sudo nmap 192.168.99.101
$ sudo nmap -Pn -n -p 1-65535 192.168.99.101 --open -sV -O

All rights reserved
All rights reserved
All rights reserved
38

All rights reserved
All rights reserved
All rights reserved
39

All rights reserved
All rights reserved
All rights reserved
40
Checkpoint #3
ü Activities in a Penetration Testing Project
ü Pre-engagement: The Boring Stuff
ü Engagement: The Five Phases of Hacking
ü Engagement: Reconnaissance (Passive)
ü Google
ü Shodan
ü Engagement: Scanning (Active)
ü Nmap
ü Nessus
[… To be continued…]
• Engagement: Gaining Access
• Post-engagement: …

All rights reserved
All rights reserved
All rights reserved
41
Engagement: Gaining Access (Sample Vulnerabilities)
Attack application layer
Attack network layer
• SQL injection
• Insecure data storage
• Broken authentication
• Broken session management
• Lack of network segmentation
• Missing ARP spoofing detection
• Missing SYN flood attack detection
• Weak wireless encryption

All rights reserved
All rights reserved
All rights reserved
42
Engagement: Exploitation
Check all the open ports
- UDP/TCP

All rights reserved
All rights reserved
All rights reserved
46
Post-engagement: Reporting Guideline
• Executive Summary
• Brief high-level summary of the penetration test scope
and major finding
• Statement of Scope
• Statement of Methodology
• Statement of Limitations
• Testing Narrative
• Document any issues encountered during testing
• Segmentation Test Results
• Finding
• Risk raking/severity of each vulnerability
• Description of finding
• Tools Used
• Cleaning up the Environment Post-penetration Test
• Provide directions on how clean up should be performed
PCI DSS – Penetration Testing Guidance

All rights reserved
All rights reserved
All rights reserved
48
@app.route('/', methods=['GET', 'POST'])
def upload_file():
if request.method == 'POST':
if 'file' not in request.files:
flash('No file part')
return redirect(request.url)
file = request.files['file']
raw_content = file.read()
content = yaml.load(raw_content)
return yaml.dump(content)
yaml.load()

All rights reserved
All rights reserved
All rights reserved
53
3rd party
Mobile
App
3rd party
Dispatcher
Server
3rd party
DB/Auth
Server
POST /userInfo
Host: 3rdparty
token=
<3rdparty-token>
POST /userInfo
Host: customer
userId=1234
Internet
Data for the
authorized user
(1234)
Critical
Systems
Isolated Network

All rights reserved
All rights reserved
All rights reserved
Critical
Systems
Isolated Network
54
3rd party
Mobile
App
3rd party
Dispatcher
Server
3rd party
DB/Auth
Server
POST /userInfo
Host: 3rdparty
token=
<3rdparty-token>
&aaa=bbb
POST /userInfo
Host: customer
userId=1234&aaa=bbb
Internet
Data for the
authorized user
(1234)

All rights reserved
All rights reserved
All rights reserved
Critical
Systems
Isolated Network
55
3rd party
Mobile
App
3rd party
Dispatcher
Server
3rd party
DB/Auth
Server
POST /userInfo
Host: 3rdparty
token=
<3rdparty-token>
&userId=1235
POST /userInfo
Host: customer
userId=1234&
userId=1235
Internet
Data for the
authorized user
(1235)

All rights reserved
All rights reserved
All rights reserved
57
How to become a Penetration Tester?
My Path:
- Join security communities in Thailand
(2600 Thailand, OWASP Thailand Chapter, TISA, CITEC)
- Practice.. practice.. and practice !
- Share what you learn !
- Join the hacking competitions
+ Capture the Flag games

All rights reserved
All rights reserved
All rights reserved
60
Contact
GERMANY
SEC Consult Unternehmensberatung Deutschland GmbH
Bockenheimer Landstraße 17-19
60325 Frankfurt / Main
Tel +49 69 175 373 43 | Fax +49 69 175 373 44
Email office-frankfurt@sec-consult.com
AUSTRIA
SEC Consult Unternehmensberatung GmbH
Mooslackengasse 17
1190 Vienna
Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15
Email office@sec-consult.com
LITHUANIA
UAB Critical Security, a SEC Consult company
Sauletekio al. 15-311
10224 Vilnius
Tel +370 5 2195535
Email office-vilnius@sec-consult.com
RUSSIA
CJCS Security Monitor
5th Donskoy proyezd, 15, Bldg. 6
119334, Moscow
Tel +7 495 662 1414
Email info@securitymonitor.ru
SINGAPORE
SEC Consult Singapore PTE. LTD
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Email office-singapore@sec-consult.com
CANADA
i-SEC Consult Inc.
100 René-Lévesque West, Suite 2500
Montréal (Quebec) H3B 5C9
Email office-montreal@sec-consult.com
AUSTRIA
SEC Consult Unternehmensberatung GmbH
Komarigasse 14/1
2700 Wiener Neustadt
Tel +43 1 890 30 43 0
Email office@sec-consult.com
THAILAND
SEC Consult (Thailand) Co.,Ltd.
29/1 Piyaplace Langsuan Building 16th Floor, 16B
Soi Langsuan, Ploen Chit Road
Lumpini, Patumwan | Bangkok 10330
Email office-vilnius@sec-consult.com
www.sec-consult.com

Pentest 101 @ Mahanakorn Network Research Laboratory

Recommandé

Recommandé

Contenu connexe

Similaire à Pentest 101 @ Mahanakorn Network Research Laboratory

Similaire à Pentest 101 @ Mahanakorn Network Research Laboratory (20)

Plus de Pichaya Morimoto

Plus de Pichaya Morimoto (12)

Dernier

Dernier (20)

Pentest 101 @ Mahanakorn Network Research Laboratory